Slashdot Mirror

← Back to Stories (view on slashdot.org)

Jail Looms For Man Who Revealed AT&T Leaked iPad User E-Mails

Posted by Soulskill on from the doing-it-wrong dept.

concealment sends this quote from MIT's Technology Review: "AT&T screwed up in 2010, serving up the e-mail addresses of over 110,000 of its iPad 3G customers online for anyone to find. But Andrew Auernheimer, an online activist who pointed out AT&T's blunder to Gawker Media, which went on to publicize the breach of private information, is the one in federal court this week. Groups like the Electronic Frontier Foundation worry that should that charge succeed it will become easy to criminalize many online activities, including work by well-intentioned activists looking for leaks of private information or other online security holes. [Auernheimer's] case hasn't received much attention so far, but should he be found guilty this week it will likely become well known, fast."

82 of 124 comments (clear)

  1. He did it wrong, obviously by Anonymous Coward · · Score: 4, Informative

    Anon pastebin is the way.

    1. Re:He did it wrong, obviously by Anonymous Coward · · Score: 1

      Then it would have made no difference. You can't test free speech and outdated computer crime laws in court under the guise of anonymity.

  2. Who in their right mind prosecutes this? by BMOC · · Score: 1

    Oh right, the feds, they're never in their right mind. I shouldn't have asked, dumb question, sorry.

    --
    I swear they give me mod points to shut me up.
    1. Re:Who in their right mind prosecutes this? by garcia · · Score: 1

      That would only stand if staff didn't take direction from the political arm which happens to be manipulated by money from special interests.

    2. Re:Who in their right mind prosecutes this? by Anonymous Coward · · Score: 3, Insightful

      Actually, no. There is no such thing as "the feds" in the USA.
      There are service organizations for companies to use, which protect industry interests, but are paid by you.
      An actual government would defend you against the companies, and put everyone in jail even tries to "lobby".

      But hey, in the US, many people loudly yell and proclaim they want a "small government" and "free market", because they confuse that industry instrument with an actual government, and confuse freedom for companies to abuse them with freedom for people to live their lives. And they don't realize that that "free market" is what results in what they perceive in an "evil government" in the first place. (Like not only the ability to openly buy a president [aka "campaign donations"] but that somebody can't even get into said "government" without being bought with huge sums of money.)

      But I don't blame them. Try keeping your mind free of social/media conditioning with TV and news constantly repeating the same lies. It's a simple neurological fact which has been studied since the 60s, that a human brain can't withstand that forever. If you think you're free of it (like I often did), you've only fallen for a different version of the trap.
      The best is, not to listen/watch any of it at all. Including websites/blogs/etc. (Because falling for Alex Jones instead of Fox News or MSNBC is not better.)
      Just observe. With your own eyes. And be careful about who you trust. (And who they trust!)

    3. Re:Who in their right mind prosecutes this? by sdnoob · · Score: 4, Insightful

      at&t probably pursued and lobbied for charges to be filed so THEY look like the victim here instead of the people at the other end of those 110,000+ email addresses.

    4. Re:Who in their right mind prosecutes this? by Redmancometh · · Score: 1

      Yup.

    5. Re:Who in their right mind prosecutes this? by deathlyslow · · Score: 3, Insightful

      The best is, not to listen/watch any of it at all. Including websites/blogs/etc.

      Says the AC posting on /.

      --
      Don't blame me for redundant posts. I can't type very fast. Hence the user ID.
    6. Re:Who in their right mind prosecutes this? by tylikcat · · Score: 1

      Come now, slavish adherance to corporate interests is hardly a sole characteristic of the left. *snort*

    7. Re:Who in their right mind prosecutes this? by sosume · · Score: 1

      When we're done killing all the messengers.

  3. Reminds Me by Anonymous Coward · · Score: 1

    Of another article with this comment.

  4. Why aren't whistleblower laws shielding him? by PickyH3D · · Score: 1

    I thought there were whistle blower laws to shield people from these mishaps?

    Is it because he went to the media rather than the FBI? I'm genuinely curious as the article doesn't say much except that he's a "hacker" that downloaded a bunch of public web addresses that were easily predictable.

    1. Re:Why aren't whistleblower laws shielding him? by stox · · Score: 2

      AT&T wasn't breaking the law, whistleblower statutes do not apply.

      --
      "To those who are overly cautious, everything is impossible. "
    2. Re:Why aren't whistleblower laws shielding him? by Desler · · Score: 1

      Because the laws are usually to cover employees from receiving reprisal from their employers whether private companies or the government.

    3. Re:Why aren't whistleblower laws shielding him? by Mitreya · · Score: 3, Insightful

      AT&T wasn't breaking the law, whistleblower statutes do not apply.

      It must have. From TFA:

      One alleges that by being in possession of the e-mails from AT&Tâ(TM)s leaky system he handled 'identification information' in breach of a law intended to protect against identity theft,

      I am certain that laws protecting us against identity fraud mandate that the "identification information" is shielded from theft. AT&T has clearly failed to protect the information.

    4. Re:Why aren't whistleblower laws shielding him? by PhilHibbs · · Score: 2

      A whistleblower is someone who tells the world about a problem that can't be resolved other than by publicizing it. A whistleblower isn't someone who exploits a vulnerability 110,000 times and publishes the private information gained by exploiting it. That is not legitimate white-hat whistleblowing. This is a person who leaked personal data, not a person who reported a leak.

    5. Re:Why aren't whistleblower laws shielding him? by AwesomeMcgee · · Score: 1

      They're innocent until proven guilty, unfortunately they accidentally dropped a truck load of money in washington so the DOJ doesn't feel inclined to prosecute, therefore they weren't breaking the law and he gets no protections.

      Kind of messed up if you think about it; whistleblower laws only protect you if they were breaking the law, which means if they aren't convicted because of their highly paid legal team any whistleblower becomes fair game and totally screwed by said highly paid legal team. That law is a farce supported by companies to get those they can't trust out of their employ.

  5. "Easy to Criminalize Many Online Activities..." by Jeremiah+Cornelius · · Score: 1

    That is the point of this endeavour.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  6. 114 thousand times! by Anonymous Coward · · Score: 1

    If you find a security hole, you don't need to exploit it 114,000 times. The Gawker story is incomplete and confusing, so I'm not sure what Weev did and what Goatse Security did. But to say "there was no illegal activity or unauthorized access" is plain silly.

  7. Robin In The Hood by westlake · · Score: 1

    like the Electronic Frontier Foundation worry that should that charge succeed it will become easy to criminalize many online activities, including work by well-intentioned activists looking for leaks of private information or other online security holes.

    The road to hell and all that.

    It's time for the geek to grow up and discover that life hasn't dealt him a Get Out Of Jail Free card,

    1. Re:Robin In The Hood by flyneye · · Score: 2

      We should push for activists to be interned as thinktivists for a minimum of 4 years before engaging in any activity in support of a " cause".
      The prerequisite would demand a cause be examined from points of view other than the "cause" focused individuals involving themselves. This would enable a well rounded person to find solutions beneficial to all while bringing their goal to fruition. This new, well rounded "thinktivist" would then be allowed to replace the ineffective, greasy, dead head wannabees currently carrying out the will of those who think for them and alternately driving away support of the masses with their stoned hijinx, zombie mantras, and personal attention whoring distracting from any good that could have been.

                For instance....Greenpeace. Eventually peopled by thintivists, Greenpeace studies the possibility of setting aside a high tech pasture of Ocean for the purpose of domesticating and breeding whales for the purpose of mass consumption, like cattle. This allows wild whales to live easier and everybody wins, except of course the domestic whales, but then they live to become product. Only PETA was harmed in this scenario, good or bad, by perspective. Peta should fund more lab grown meat if they want to save Porky and Bessie. THINK! Damn, I just can't make them THINK! But, I can continue to ridicule them, till they get it or go away annoyed. WIN WIN! We all benefit!

      --
      *Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
  8. Prosecutors, these days.... by stox · · Score: 4, Interesting

    seem to be having increasing difficulty distinguishing the letter of the law versus the spirit of the law. Anything to add yet another successful prosecution to their resume with no concern as to the effects on others or the betterment of society.

    --
    "To those who are overly cautious, everything is impossible. "
    1. Re:Prosecutors, these days.... by davester666 · · Score: 2

      Are you kidding me, that is WAY down the list

      Above it are things like:
      Can I get a conviction? This is pretty much the only performance metric for prosecutors. This includes taking into account how good a defense the accused can afford.
      Am I ordered to prosecute by my superior? Will I be fired if I refuse?
      Is there pressure from any groups to prosecute, just to harass the accused, even if the prosecution will fail, so in the future the group will help me [for example, the police force]?

      The 'for the love of the law' people that aren't independently wealthy are generally removed through burnout by having all the crap dumped on them [because they love it!].

      --
      Sleep your way to a whiter smile...date a dentist!
    2. Re:Prosecutors, these days.... by jklovanc · · Score: 3, Interesting

      Would you be saying something different if someone found a warehouse door open and reported it on a scrounger web site before they reported it to the owner of the warehouse? Data has value just like merchandise. The issue is not what they did but the way they did it. A true White Hat hacker would have told the company first and given them a chance to fix it before publicizing it.

    3. Re:Prosecutors, these days.... by Mitreya · · Score: 3, Informative

      Would you be saying something different if someone found a warehouse door open and reported it on a scrounger web site before they reported it to the owner of the warehouse?

      Neither of his charges is about publicizing the the info. I could probably get on board with that

      It seems that his charges are:
      1. "by being in possession of the e-mails from AT&Tâ(TM)s leaky system he handled 'identification information'"
      2. "case is based on the Computer Fraud and Abuse Act, which forbids 'unauthorized access' to a computer." (definitely the equivalent of being charged for trespassing)

      Show me which charge involves disseminating information on a scrounger website? Up to 5 years for trespassing in an open warehouse seems ridiculous (each charge carries up to 5 years)

      If he is guilty of publishing the info - let's see a law that charges him with disseminating "identification information". But trying to make marginally related things stick is very, very dangerous.

    4. Re:Prosecutors, these days.... by westlake · · Score: 2

      Prosecutors, these days seem to be having increasing difficulty distinguishing the letter of the law versus the spirit of the law.

      The prosecutor has some discretion.

      But there are limits.

      He needs convincing and he tends to become cynical.

      He has heard it all before.

      The "spirit of the law" has to amount to something more --- much more, I afraid --- then the geek's self-serving plea that one of his own kind doesn't deserve to go to jail.

      ____

      The geek is the quintessential outsider.

      He ought to have learned by now not to rely on the kindness of strangers.

    5. Re:Prosecutors, these days.... by Impy+the+Impiuos+Imp · · Score: 1

      One thinks there must be more, some extortion or plan to misuse the info, that we aren't hearing about.

      On the other hand, these are the same people who try to get teens who send cell phone nude shots to each other registered as lifelong sex offenders who produced and distributed child pornography.

      Wrecking lives for a notch on the belt. So proud. Elect me!

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    6. Re:Prosecutors, these days.... by jklovanc · · Score: 2

      Show me which charge involves disseminating information on a scrounger website? Up to 5 years for trespassing in an open warehouse seems ridiculous (each charge carries up to 5 years)

      How about burglary (1-20 years depending on state) and possession of stolen property (up to 10 years in Washington State) would be the similar charge. They could not disseminate the information if they did not have it. They didn't just trespass, they copied the information and took it away. The charge is not about disseminating the information it has to do the possession of the information. Had they not stored the addresses the problem would have been a lot less severe.

    7. Re:Prosecutors, these days.... by Mitreya · · Score: 1

      How about burglary (1-20 years depending on state) and possession of stolen property (up to 10 years in Washington State) would be the similar charge.

      Interesting point on possession of stolen property... Possession of copies of stolen property?
      But -- can you get charged with burglary if the door was open?

    8. Re:Prosecutors, these days.... by mspohr · · Score: 1

      I don't think he "stole" the email addresses. AFAIK, they are still in ATT hands. No theft, no possession of stolen property. No burglary.
      He copied stuff that was on a public web site. ATT probably didn't intend to make it publicly available, but that should be their problem, not his.

      --
      I don't read your sig. Why are you reading mine?
    9. Re:Prosecutors, these days.... by jklovanc · · Score: 1

      Burglary is the illegal entry into a building for the purposes of committing a crime, in this case the illegal copying of data, and need not include circumvention of security. They were not authorized to access the private server therefore the act was illegal. Locks are there to make crime more difficult; not to define what a crime is.

    10. Re:Prosecutors, these days.... by jklovanc · · Score: 1

      This is where the modern age of data does not jive with the laws dealing with material goods.
      You are also confusing the analogy with the real life incident. The analogy refers to "theft" but the charges refer to "unauthorized access" and "illegal possession". Analogies are never perfect. The point is that the hacker was never authorizes to access or copy the information.

      It was also much different than being on a public web site. The hacker didn't just click on a link and have the data appear. He had to send specific requests containing specific information to get the data that he knew he was not supposed to see. Just because there was a security hole does not make it legal.

    11. Re:Prosecutors, these days.... by chrismcb · · Score: 1
      Apparently this is the MAIN thing he is being charged with:

      Weev and a fellow hacker who originally uncovered AT&T’s mistake and collected the e-mails didn’t ask the company for permission to access the Web addresses that shared iPad users’ private information. But those Web addresses weren’t hidden behind password prompts or any kind of protection – they were publicly accessible.

      Which looks like the equivalent of "trespassing". Kind of like entering an empty lot, that has no fences or signs, that is next to a public park.
      It means if you click on a random link you find, you could be arrested.

    12. Re:Prosecutors, these days.... by jklovanc · · Score: 1

      Please read all the posts before responding. He did not click on a random link. He crafted a specific URL with possible phone IDs and sent them to the server. He deliberately was looking for the information. Most requests were securely locked down but he found one that was not. It is much closer to going around a building looking for an unlocked door. The difference between trespassing and burglary is that trespassing is mere presence while burglary requires intent to do a criminal act while on the property. In this case the intent was to take data.

      It does not matter whether or not the Web addresses were hidden behind password prompts in the same way it does not matter whether or not a door is locked on a building. Entering a building through an unlocked door for the purposes of an illegal act is still burglary.

      The "empty lot" analogy does not hold water for the following reasons;
      1. The lot was not empty as there was plenty of data there.
      2. He did much more than look around as he copied information that he should not have had access to and took that copy off the property.

      One could see a similarity between crafting the URL with making a key for a lock. If the URL was not correct he would not get data. If a key is not correct the lock will not open. The fact that there are a large number of keys does not negate the fact that he had to deliberately craft it.

      Whether or not a building is locked or a service password protected defines how difficult it is to break in and not what crime is committed.

    13. Re:Prosecutors, these days.... by deimtee · · Score: 1

      Your claim equates to "typing an address directly into a browser is hacking* and you should only access the web by clicking on links."
      Tough luck if you click a malformed link and get the wrong thing back from a server, you're going to jail.

      *of the cracking type

      --
      I'm guessing that wasn't on their radar screen...
    14. Re:Prosecutors, these days.... by jklovanc · · Score: 1

      If you click on the same link over 300000 times, record the results and publish them then yes you should go to jail. Once, probably not. In every law there is an intent clause. Clicking once could be an accident. Clicking 300,000 time shows intent. By the way, the mal-formed URL is the issue of the person who wrote the URL and maybe not the issue of the person who clicked on it. In this case the accused created a script to send hundreds of thousands of requests to the server. There was definite intent there.

  9. Weev is not an online activist. by Hatta · · Score: 4, Informative

    Weev is a troll. He's better known to /. as one of the "president" of the GNAA. An all around unpleasant fellow.

    The unfortunate thing about this case is that Weev didn't actually do anything wrong here. AT&T published the email addresses, it should be AT&T facing prison time.

    --
    Give me Classic Slashdot or give me death!
    1. Re:Weev is not an online activist. by NewWorldDan · · Score: 4, Insightful

      He did do something wrong here. Whatever his intentions, he was poking around AT&T's web server in a way he knew he shouldn't have been. Just because AT&T was wrong doesn't make him right. As an analogy, I often leave my car unlocked. If you take it, you're still a car thief, even if I should have taken better care of my car. In any event, you don't have to harvest 114k emails to demonstrate a problem.1 or 2 is adequate proof that there's a problem.

    2. Re:Weev is not an online activist. by quacking+duck · · Score: 3, Insightful

      Better analogy is if you left confidential info clearly visible and readable in your car, and someone came along and saw it through the window, then told a nearby reporter about it, etc.

      This guy didn't steal AT&T, after all.

      Unfortunately, the car's owner is politically connected and his prosecutor buddy brings charges against you to cover up the owner's embarrassing blunder.

    3. Re:Weev is not an online activist. by grasshoppa · · Score: 4, Insightful

      The car analogy doesn't work here, as a website is inherently a publicly offered service, whereas your car is not. There really isn't a good analogy for this situation, as it doesn't really require an analogy in the first place.

      AT&T put private information on their public website. Mistake or not, their actions made the information public, not the defendant in this case.

      AT&T is obviously to blame here.

      --
      Mod me down with all of your hatred and your journey towards the dark side will be complete!
    4. Re:Weev is not an online activist. by hierophanta · · Score: 1
      a better analogy would be - you are a valet and you left the cars unlocked. then someone told your boss that you do a shit job of valeting the cars. you then and go punch that someone in the face.

      Whatever his intentions, he was poking around AT&T's web server in a way he knew he shouldn't have been.

      the parallel of above is that the someone was looking at the cars parked in a private area. the valet company sells the idea that no one can do that (look at your car when it is parked with them) but then puts your car on the street.

    5. Re:Weev is not an online activist. by jklovanc · · Score: 3, Interesting

      Even better analogy;
      1.Leave confidential material in a folder in an unlocked room.(create an mechanism on the server to access info without proper security)
      2. Someone come along and search the room (make semi-random requests to the server)
      3. Copy the information in the folder (record the server responses)
      4. Publish where the room is, where the folder is and the contents of the folder. (put the server name, request format and received data out on the internet)
      A true White had would have told the company before publishing the breach and they would not have tried hundreds of thousands of requests. Just because there is not a lock on the door does not mean one can rummage through the room, copy the information and publish it.

    6. Re:Weev is not an online activist. by Amouth · · Score: 1

      But taking your car would have deprived you of it. If you left the doors unlocked and i came by opened up and just took pictures of everything in your car without damaging or taking anything (but copying what i find) then I've taken nothing of yours, it isn't theft, and i have not broken and entered in any way.

      Trying to use a physical theft as an analogy for digital works doesn't work because they are not the same.

      --
      '...if only "Jumping to a Conclusion" was an event in the Olympics.'
    7. Re:Weev is not an online activist. by Hatta · · Score: 2

      As an analogy, I often leave my car unlocked.

      That analogy is so bad, it's dishonest. Your car is not a publically accessible communication system. AT&T's website is. Do you really think they're comparable? Seriously, shame on you.

      --
      Give me Classic Slashdot or give me death!
    8. Re:Weev is not an online activist. by Anonymous Coward · · Score: 1

      Better analogy is if you left confidential info clearly visible and readable in your car, and someone came along and saw it through the window, got out a cell phone and photographed the page, then turned the page and photographed the next page, over 100 thousand times, then told a nearby reporter about it, etc.

      You left out an important part, because intent matters. If they'd seen one or two e-mails and reported it, fine. Instead they put in a huge effort to create a database of such e-mails. Can anyone here honestly say that was done in good faith? Somewhere after collecting the first dozen, hundred, or maybe thousand e-mails they cross the line.

    9. Re:Weev is not an online activist. by tragedy · · Score: 1

      The information was being served by AT&T's servers without any sort of authentication required. The car analogy isn't a very good one. This is more like an entrance in a commercial building, parts of which are open to the public. When you go to a store, you expect to be able to walk into doors that are open to you, provided they're not marked "employees only" or something like that. If you walk into an open side door, discover it doesn't lead to the sales floor, then tell the store manager about it so that they'll close the door, you shouldn't be arrested for it.

      Come to think of it, I've actually done something like that years and years ago. I walked into a restaurant once at around 9 in the morning. The place had one main door, which led to a small entry area with a door on the left and a door on the right. There was I was a bit desperate to go to the bathroom and wasn't really looking around, and the bathroom was right inside the door I took. When I was done using the bathroom, I thought I would see about having breakfast there. That turned out to be a problem because the place was closed. No-one was there at all. Seems that they just left the outer door open, and the inner door that I came in wasn't closing properly, so it didn't lock. When I realized that the place was closed, I left right away. I considered leaving a note about the sticking door, but decided against it. What if they had a security camera, checked it because of my note, got my license plate, then had me arrested? Most reasonable people would have recognized it as an honest mistake, but there are an alarming number of unreasonable people out there. I decided I wouldn't be helping them much by leaving a note. It's not as if anyone with a $5 crowbar couldn't have opened that door even if it wasn't sticking. Stories like this one make me more convinced that I was better off just keeping my head down.

    10. Re:Weev is not an online activist. by Stan92057 · · Score: 1

      Um your quite wrong according to this site. Goatse Security obtained its data through a script on AT&T's website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The group wrote a PHP script to automate the harvesting of data. Since a member of the group tells us the script was shared with third-parties prior to AT&T closing the security hole http://gawker.com/5559346/apples-worst-security-breach-114000-ipad-owners-exposed Running a script is a whole lot different then just typing in a web address which most of the apologist here would have us think.

      --
      Jack of all trades,master of none
    11. Re:Weev is not an online activist. by isilrion · · Score: 1

      Better analogy is if you left confidential info clearly visible and readable in your car, and someone came along and saw it through the window, then told a nearby reporter about it, etc.

      An even better analogy: you left confidential info *about me* clearly visible and readable in your car. I had trusted you to keep it secure and I had not noticed that you were failing to do that. He saw it, and let me know in the only way he could.

      I really can't understand all those "hacking victim" apologists (note the quotes). Currently it is illegal for me to accidentally discover that my bank/phone company/isp is leaking my information or allowing transactions in my name. Without that knowledge, I can't even "vote with my wallet" and choose a more secure venue. Yet the "hacking victim" apologists only focus on how wrong the "hacker" was, instead of that his actions were the only way to learn about the "victim"'s gross negligence.

      Obviously your post is already receiving comments from apologists, "he had to poke", "he copied the information" (both of which are obvious, specially the copying, which is automatic, and required if you want to give warning). Those replies - people speaking against their own interests in defence of a negligent mega-corporation - sadden me.

    12. Re:Weev is not an online activist. by tragedy · · Score: 1

      Nope. Although I wasn't exactly using that event as a direct analogy to the events in the article, just a related anecdote. If we want to use it as an analogy, we have to decide what particular thing is analogous to the downloading of a page. If it's entering the bathroom, using the toilet, flushing, washing and drying my hands, then leaving, then it's one versus 14,000. On the other hand, disgusting as a it may be, we could also count individual droplets or even molecules/ions of water, urea, salt, etc. since those might actually be a better analogy to individual http requests. In that case we can be talking either the same approximate order of magnitude, or even far, far more "uses" in the other direction. Really all this says is that analogies are only thought experiments. Things like this really do need to be considered in their own context and a comparison to something else may be useful, but doesn't have to be an exact fit.

      Ultimately, it was the obligation of AT&T to keep that information private and they failed. Anyone with any understanding realizes that there was nothing constituting reasonable security protecting that data. That someone who accessed it faces prison, yet no-one at AT&T faces the same fate is clearly unjust.

    13. Re:Weev is not an online activist. by paulzeye · · Score: 1

      I think a slightly better analogy would be if your unlocked room is in the middle of a public store and maybe hidden behind a clothing rack. The entrance is obfuscated but there are no signs saying no entrance.

    14. Re:Weev is not an online activist. by tragedy · · Score: 1

      Have you used the world wide web lately? Let me give you a hint. At the moment, I'm looking at the URL bar of my browser. The URL in it right now is being displayed without the http:// it just starts with slashdot.org. After the slashdot.org, it's followed with comments.pl which is the name of a script and after that, by a question mark, then by a list of arguments and values separated by ampersands. The same sort of thing is true of many pages people visit. Even when the URL looks like a normal, non-script URL like the one you linked to in your post, it's pretty clear once you get to the page that it's a generated page. The advertising and the comments at the bottom of the page, etc. are all being generated by a script in the background somewhere.

      You're basically trying to draw a distinction that isn't particularly meaningful any more. They accessed a URL, accessible to anyone on the Internet, as you said. That's the relevant part.

    15. Re:Weev is not an online activist. by drinkypoo · · Score: 1

      The problem with your analogy is that a public-facing web server is assumed to have public-facing information. Trying zillions of queries is a normal way to get the data you want out of the server in a format you want, like trying to convince Netflix to give you the views you used to be able to click to. (As an aside, appending &vt=tl to many URLs gives you the old list view...) There's a big difference between checking doors and checking URLs.

      I can agree, however, that he should have told the company about the breach and waited a reasonable period before going public. There was no good reason to do otherwise.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    16. Re:Weev is not an online activist. by jklovanc · · Score: 1

      In every request he sent was the ID of a phone that he did not own. He specifically asked for information that he knew he had no right to. Also the URL he hit was not published and he had never used it before. He was not trying to get what he used to get but he was trying to get information he knew that was illegal to have. That he got it through an unlocked door make no difference.

    17. Re:Weev is not an online activist. by jklovanc · · Score: 1

      Then one is obliged to ask a store clerk if it is ok to go into the room. If someone went in that room and stole merchandise it would still be burglary.

    18. Re:Weev is not an online activist. by s0nicfreak · · Score: 1

      What if we use a public bus instead of a car?

  10. Paul J. Fishman by Anonymous Coward · · Score: 3, Informative

    I know little of the case, but it looks like this case is being brought by Paul J. Fishman, the U.S. District Attorney for New Jersey. According to Wikipedia (it's always correct), he used to work for Friedman Kaplan Seiler & Adelman. A firm that represented the Communication Workers of America. Not surprisingly, the CWA regularly deals with AT&T.

    Mr. Fishman was appointed by President Obama in 2009. If you don't like his actions, contact the Whitehouse and your representatives and let them know. Not that it'll matter, but maybe it'll make you feel better.

    Or if you'd prefer, you can always contact his office directly for more information on the case: http://www.justice.gov/usao/nj/contact.html . Though, again, not that'll it matter.

    1. Re:Paul J. Fishman by alexo · · Score: 1

      If you don't like [...], contact the Whitehouse and your representatives and let them know. Not that it'll matter, but maybe it'll make you feel better.

      And that is the most accurate and succinct summary of our(*) representative democracy that I have ever seen.

      (*) I'm not from US but the situation in Canada isn't any better.

    2. Re:Paul J. Fishman by Guru80 · · Score: 1

      In this day and age, it's a shame to say but going so far as to contact a congressman about anything you disagree with is probably just an excuse to add you to some sort of list to have your emails read and all that conspiracy crap. Not that contacting them about anything individually matters anyway. The only way it would even be noticed beyond a the standard generic form reply is if all of a sudden 10 million people emailed them.

  11. Wrong move by Anonymous Coward · · Score: 1

    If he would have done the right thing and sold the information to Chinese hackers they would have given him a little cash and no one would be getting sued.

  12. Re:Note to self by jklovanc · · Score: 1

    How about reporting it to the place that can fix it rather than to the public that can exploit it? Oh yeah, one does not have to do it millions of times to prove there is an issue. The script probably sent millions of requests to get the 110,000 valid responses.

  13. Something doesn't make sense to me... by Slyfox696 · · Score: 1

    According to the article attached to the summary, the way Weev accessed this information was typing in publicly accessible URLs. If that's the case, how in the world can he possibly be prosecuted for accessing a public website?

    Something seems to be missing here. I'm guessing there's more to this story than what is written in the article.

  14. Re:Time for (un)civil disobedience by Desler · · Score: 1

    You first, General.

  15. if you saw an open bank vault by ozduo · · Score: 2, Interesting

    do you help yourself, tell the bank, or shout about it from the rooftops? Andrew Auernheimer shouted from the rooftops and deserves punishment.

    --
    I got to the chocolate box before you, that's why the hard ones have teeth marks.
    1. Re:if you saw an open bank vault by Mitreya · · Score: 1

      if you saw an open bank vault ... do you help yourself, tell the bank, or shout about it from the rooftops? Andrew Auernheimer shouted from the rooftops and deserves punishment.

      1. Up to 10 years total seems a tad high, since we are talking about emails, not a bank

      2. He is being charged with "handling private data" and "unauthorized access" to a computer. Tell me which one of these charges is equivalent to the "shouting from the rooftops".

      If only his case involved charges such as "disseminating private information" or "promoting identity theft", but neither one of them looks like that.

    2. Re:if you saw an open bank vault by stafil · · Score: 1

      do you help yourself, tell the bank, or shout about it from the rooftops?

      Out of curiosity, if somebody was shouting about it from the rooftops; what's the law he would be breaking in that case?

    3. Re:if you saw an open bank vault by BrookHarty · · Score: 1

      Going to have to disagree, you can talk about anything you see in normally. If you opened the bank vault door first then yell its open, then you are guilty.

      This guy reported a hack he found poking around, that's a crime. If he reported a hack he found while doing normal transaction, then its not a crime. I think its pretty easy to tell the difference.. Buffer overflows and exploits are not normal transactions. This is what makes the difference between white and black hat hackers. White hat doesn't perform intrusion without authorization. They can perform analysis on normal transactions, thus no law is being broke, as you are authorized for "normal use".

  16. Former head of the GNAA by Elbereth · · Score: 1

    I wonder how many of his defenders on Slashdot realize that this is Weev, the former president of the GNAA?

    Still, I'm impressed with Slashdot's integrity, for once. After ten years of crapflooding and trolling by the GNAA, I would have thought that Slashdot would be a bit more antagonistic toward him.

  17. For those who didn't RTFA: by random_ID · · Score: 1
    He's facing 2 charges:

    1) Violating an identity theft law by "being in possession of the e-mails." With no evidence that he planned to misuse the information.

    2) Violating the Computer Fraud and Abuse act via "unauthorized access to a computer". Even though the information was publicly available on AT&T's website (not behind any kind of protection, not even a password).

    I almost hope he's convicted on the latter charge; the publicity that will generate may lead to sane revision of these laws.

    1. Re:For those who didn't RTFA: by Anonymous Coward · · Score: 1

      "With no evidence that he planned to misuse the information."

      IRC logs clearly showed weev planned to misuse the information. It even included him talking about using the breach to manipulate AT&T stock...

      This indictment includes the IRC log excepts: http://www.scribd.com/doc/113664772/46-Indictment

  18. Jury Nullification. by IMarvinTPA · · Score: 1

    Please, make sure the Jury knows about Jury Nullification. They can still declare him not guilty even if he technically broke the law. Juries are your protection against bad laws. Let them know it.

    IMarv

    --
    Trusting software vendors is no smarter than trus
    1. Re:Jury Nullification. by AvderTheTerrible · · Score: 2

      The big problem with this is that Judges tend to dislike Juries being notified of that right and tend to throw people out for even mentioning it in court.

  19. Re:Note to self by mrchaotica · · Score: 1

    Because many times the company will just bury the problem instead of fixing it (not to mention persecute you anyway).

    --

    "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

  20. Re:Note to self by Jiro · · Score: 1

    If you report it to the owner they have this habit of either threatening to sue you unless you keep it quiet.

  21. paladium.net by murder_face · · Score: 1

    I stumbled across this site when my father-in-law was pissing and moaning about how broke he is(111,000/year). It seems like the information here is far more dangerous than a bunch of leaked emails. Why is "free-speech" in this aspect protected, yet you can't publish a bunch of email addresses?

  22. If the bank is shoveling money into the street... by mrchaotica · · Score: 1

    ...is your analogy still stupid?

    --

    "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

  23. So what? by westlake · · Score: 2

    According to Wikipedia (it's always correct), he used to work for Friedman Kaplan Seiler & Adelman. A firm that represented the Communication Workers of America. Not surprisingly, the CWA regularly deals with AT&T.

    I would like to meet the man or woman with a senior position in law, finance, tech or government who at one time or another hasn't been friend or foe and often both to AT&T.

    Hereabouts, you'll find them mighty thin on the ground.

    AT&T Inc. is an American multinational telecommunications corporation headquartered in Whitacre Tower, downtown Dallas, Texas. AT&T is the largest provider both of mobile telephony and of fixed telephony in the United States, and also provides broadband subscription television services. As of 2010, AT&T is the seventh largest company in the United States by total revenue, and the fourth largest non-oil company (behind Walmart, General Electric, and Bank of America). It is the third-largest company in Texas (the largest non-oil company, behind only ExxonMobil and ConocoPhillips, and also the largest Dallas company). As of 2011, AT&T is the 14th largest company in the world by market value, and the 9th largest non-oil company. It is also the 20th largest mobile telecom operator in the world, with over 100.7 million mobile customers.

    AT&T

  24. Re:Note to self by jklovanc · · Score: 1

    Maybe maybe not. All web site owners do not react in the same way. Even if they did threaten a law suit they would have to prove it was you who told the press. If the site didn't fix the issue and go public with the problem then go to the press. Projecting what might happen and reacting to a possibility is just wrong.

  25. Here's who he screwed up .... by sgt_doom · · Score: 1

    .... he was thoroughly ignorant of who owns AT&T --- had he been so, he would have approached things entirely differently (one hopes?).

    Americans are thoroughly idiotized today --- the vast majority are still to eff-tard stupid to understand we live in a corporate fascist state, and that it is by purposeful design that Americans are completely ignorant of the ownership of those ruling corporations (especially the banksters, oil companies, pharmaceuticals and weapons makers, etc.).

    Exactly why they re-arrested that Sergey Alenikov fellow (remember the programmer and Goldman Sachs' HFT software???). --- eff with JPMorgan Chase, Goldman Sachs, Morgan Stanley, BofA, Citigroup, ExxonMobil, GE, AT&T, etc., and you're effing with the top five families in the Western Hemisphere, perhaps the planet.

  26. Re:Note to self by jklovanc · · Score: 1

    Give them time to try fixing it. If they don't fix it and publicize it then go to the press. The right way is to give the company a chance to fix the problem.

    It is difficult to bury a data security breach if it is in the courts.

  27. Bank? Library. by Moskit · · Score: 1

    It is hard to maker a good analogy and I find most of those posted far off the track.

    I see it differently: imagine a library. You know, books, of the paper variety. A lot of them, all available for public use.
    Somehow careless library management put in there their finance book. Someone found it and picked up for rental. Person at the checkout out did not object.

    It is negligence of the people who let the financial info get in the library, not the one who rented it.

  28. Re:Note to self by HappyPsycho · · Score: 1

    Don't think the GP is refering to every site just the big ones, I'd put the criteria at those large enough to have a legal department...

  29. Re:Note to self by jklovanc · · Score: 1

    It does not matter how big the legal department is if they can not prove anything in court.