Slashdot Mirror
41 Months In Prison For Man Who Leaked AT&T iPad Email Addresses
In 2010, querying a public AT&T database yielded over 114,000 email address for iPad owners who were subscribed to the carrier. One of the people who found these emails, Andrew 'weev' Auernheimer, sent them to a news site to publicize AT&T's security flaw. He later ended up in court for his actions. Auernheimer was found guilty, and today he was sentenced to 41 months in prison. 'Following his release from prison, Auernheimer will be subject to three years of supervised release. Auernheimer and co-defendant Daniel Spitler were also ordered to pay $73,000 in restitution to AT&T. (Spitler pled guilty in 2011.) The pre-sentencing report prepared by prosecutors recommended four years in federal prison for Auernheimer.' A journalist watching the sentencing said, 'I felt like I was watching a witch trial as prosecutors admitted they didn't understand computers.'
Know I'll get modded down for going against Slashdot groupthink. But what is the argument suggesting? "It all happened on a computer, it shouldn't be prosecuted?" Stealing private information and releasing in publicly isn't just obviously illegal, it caused grief for 114,000 people.
Even if AT&T has a shitty security system, that doesn't make it legal to break in. I'd love to see Slashdot do more mundane crimes. Maybe the home had a sign saying "beware of dog," but the dog was actually at the vet, so the robber was just publicizing a security flaw.
Slashdot: providing anti-social weirdos a soapbox, since 1997.
I suppose the prosecutors figured out that Auernheimer managed to lay his hands on over 100,000 email addresses that iPad owners had used to register their devices. So not random email addresses, but email addresses that were in actual use, and with some rather significant personal information attached.
So what exactly do they need to understand about computers beyond that?
If you find my key under a rock in my backyard, it is still theft if you break into my house with it and steal things.
No sigs in BETA. Beta SUCKS.
It's completely crazy and immoral to even put someone in prison for what he did. But luckily the defendant himself is crazy and immoral so it sort of evens out?
The purported target, AT&T, is hardly the nicest organization, but the actually affected people were just regular people. This doesn't seem especially out of line with the USA's normal unhealthy sentencing. We want to punish, not correct, those convicted here.
As long as that attitude remains dominant, miscarriages of justice will occur within every branch of justice(except for the super-rich).
make a profile. sign it. share it. please. http://wh.gov/sR5l
In an interview Weev says he wants to run for Congress, despite regarding the government as "seditious thugs". http://www.techweekeurope.co.uk/interview/angel-or-demon-hacker-would-the-real-weev-please-stand-up-110637
Wow that's a ridiculous sentence, You can hear more about this story on http://www.miscbb.org its a Hacking Forum.
Two young men in steubenville rape a young women and get 1 - 2 years in jail. A man writes a script to get email address from a website and gets 3.5 years in jail. Something's not right.
This people do not have any understanding of computers or the internet in general. I doubt it is going to change in the future. Since this type of people are generally not computer literature at all and never have been.
I doubt they know even what an IP address is or an hard drive.
Bankers who brought the nation and somewhat the world into a great recession do not serve any jail time. Too Big to Jail?
People lied about going to war in Iraq and many people died because of it. No one in the Bush administration has served jail time for lying.
Burglars and Rapists get out faster than those who do computer crimes.
I don't understand why someone who warned others about a security risk was jailed when nothing happens to the FBI for snooping on a military General's email for the wrong reason.
I guess when you are connected - sort of like the mob - but in this case the government and big business - only the little guy will do jail time.
the ATT servers were not secured. the data was figurately lying out on the street, in the old days there would be a black or brown binder holding a galloping shitload of greenbar paper, and if you flipped the binder open, it would say, "LIST OF iPHONE USERS DATA." that is thus insecure data, hence public. ATT's trash blowing across the street. the guy should not have been prosecuted, he should have been given a code for free wi-fi at McDonalds for two weeks.
take note... data wants to be free. if it isn't locked away, it will become so. just like houses and banks, if you lock your stuff up, it isn't free to all any more.
if this is supposed to be a new economy, how come they still want my old fashioned money?
This is one of those cases that the defendant should have identified the risk versus reward for releasing this data. He obviously knew the data was not meant to be public otherwise he wouldn't have bothered to send them to prove a security flaw. Risk: Jail-time Reward: ? Name recognition? Better security at AT&T? My equation says no way in hell would I release that data. If you really care about security so much, inform the proper owner of the data, not a news agency.
In 2010, querying a public AT&T database yielded over 114,000 email address for iPad owners who were subscribed to the carrier.
If the database was publicly-accessible, how is it a criminal act, as a member of said "public", to actually access it? That's like a newspaper that accidentally publishes data it considers private and prosecuting readers.
The criminal act was negligence by AT&T. This is simply a distraction and face-saving prosecution to wash AT&T clean of culpability.
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
whistle blowing?
if he would have called AT&T and told them he found this, they would have accused him of hacking, he leaks it to a journalist and gets jail? did the journalist turn him in?
Unix, an obscure operating system developed by bored researchers in an attempt to get a better game playing experience.
Forgetting to lock my door makes it easier for a thief to enter my house and steal but it doesn't excuse or even lessen the crime, that being said the sentence seems rather excessive for what is little more than a inconvenience to the people affected by the release of their email address.
Weev helped me out a while ago with free hosting when I was hosting a controversial site and had some issues with other hosting providers. He may be a total troll, but he's also a good guy who doesn't deserve this at all. He believes in free speech and despite how the media is making this out to seem, he handled the data a lot more responsibly than ATT did. He could have published it. Instead he handed it to the press.
I learned from this, that I will be sending that data to most evil bastards on the planet. Stupidity must hurt. Karma must come back. And I'm the one whose job it is, to make sure that happens.
</sarcasm>
typing more due to filter. typing more due to filter.
Many conflicting articles have been released concerning when the flaw was disclosed to whom. IANAL, but I *think* this may have been the crux of the prosecution's case. If the flaw was disclosed to others before AT&T or perhaps the people whose emails were discovered = crime. If not = no crime.
I am not advocating this position as correct. Just trying to present an opinion.
One of the better articles on the subject of disclosure, still leaves many murky grey area problems for any professional security researcher.
http://www.wired.com/opinion/2012/11/hacking-choice-and-disclosure/
For every benefit you receive a tax is levied. - Ralph Waldo Emerson
No one is being charged with stealing things. They are being charged with (to extend your analogy) telling the newspaper what an idiot you are for hiding your key under a rock.
Support Right To Repair Legislation.
any expensive lawyer worth his salt would have painted the case that AT&T was at fault, not the defendent, in a clear enough picture for the jury to understand. If OJ can get off, and Lohan can get off, it's just a matter of paying for the right representation.
What about the security and network admins responsible for the box that was hosting this database? It was completely their fault for allowing this to be exposed to the public.
It's complete bullshit that they can reprimand someone who accesses publicly sensitive data but not reprimand those that put the data at risk.
When are the courts going to learn how this shit works?
41 months for this class of crime makes this a witch hunt. Legal system: fail.
That said, he didn't behave appropriately. When I found a $20 pasted up against the side of my house, I knew which neighbor's driveway it blew out of, and I returned it to them.
Under the law: They did not protect their $20 properly from wind, it was on my property, it had no owner name written on it. It could conceivably have come from another property behind my neighbors and blown through their property....
In reality, any one of my neighbors would return any property that wasn't theirs to the rightful owner without asking. The only excuse for keeping it would be to have given returning it a reasonable try and failed.
Andrew failed the decent neighbor test. If he had a string of e-mails to AT&T showing they were not responsive to the security flaw, and he had asked a list of volunteers if he could ferret our their ipad data from the website as a test, he would have a good case...
But he didin't contact AT&T first, he showed off his 'leet skills, and snagged data about non-volunteers. Neighbor fail. I think the first 3 of his 41 months in jail are quite appropriate.
Applicants could peek ahead at the status of their admissions by adding a few numbers to their URLs on the site. Harvard rejected all of the people who tried the hack. And told other ivy b-schools about them too who also rejected them.
They would only be fined 1 days worth of profits...
Corporations are people too? Bullshit. Corporations are treated better than people, under the law. I seriously suggest that every individual incorporate themselves and, when accused of any wrongdoing, claim it was via the corporation, and suggest that the law take it up with the board of directors.
If telephones are outlawed, then only outlaws will have telephones.
He is convicted with a harsh punishment because he has embarrassed powerful people (AT&T's executives are high up in the pecking order within our increasingly fascist nation). If you're going to point out wrong-doing by the powerful. Be sure that you're anonymous when you do it, lest you wind up like Bradley Manning.
The U.S is a horrible country to live in if you get fucked by the government this way. It's a fucking feudal system. But the huge hypocrisy in this country is regarding privacy and it's no different than the way the so called communist or dictatorships(which are really feudal systems) past and present spy on you. Our 4th Amendment gone and pretty much the whole constitution is going down the toilet. Even Obama in 2001 said the Constitution is outdated and flawed, well that's because it puts constraints on the government from going tyrannical. Not to mention all the fucking lies and atrocities this country has committed all over the world, no one held accountable for the financial crisis which a lot of people lost their 401k's and homes. And yet, this guy is going to 3 1/2 years in prison.
The only thing he did was post the emails(did not see any other info) nothing else like SS, Credit Card #'s, home addresses, etc... How is this damaging. Google probably sells my gmail data linked to my personal info to the big corporations anyway. SO WHAT THE FUCK!
His only crime was missing a simple trick.
1. Link to the email list from some other website that is indexed by Google
2. Wait for Google to index the list
3. Remove the above link
3. ???
4. Profit!! (Announce that you found the list on Google)
AT&T's open front door != authorization to take data and copy it using that open front door.
Don't snitch.
I'm a satanic clam.
Wow! Lots of people here seem very familiar with the case transcript and the judge's/jury's reasoning. I'd like to be familiar with it, too. Could someone post a transcript of the case, as written by the court stenographer? I'm having trouble finding it in the original post, or the twitter feed...
signed, old #cheesy comrade..
Two, popular, teen, boy, football players were just given 11 months in a youth facility for rape. How do we balance justice in America? Isn't rape a far more serious crime than what most people would call a computer crime?
There comes a time at which we must write a rational sentencing code as well as some standard for applying charges across the board. As it stands trivial crimes may often carry harsher sentences than really severe crimes that cause permanent injury. Try this one out: I get drunk and smack a pedestrian with my car and he suffers the loss of one arm. Compare that with I decide to shoot at someone but happen to miss. Not very many people would put the drunk away for thirty years yet he caused far more harm. Juries won't sentence harshly over crimes that they tend to commit now and then and the state will not go after a drunk driver the way they would a rapist or bank robber.. Justice?
The same type of reckless design that went into AT&T's website for registration is symptomatic of the direction the industry has been heading. It represents that YOUR PRIVACY in the hands of a monopoly is not worth two-shits to them. Even if it was "only an email address" it could have easily been your SSN# on a CD, or medical record on an unencrypted laptop, voting record or ballot on a voting machine, whatever. Weev sounds like a jackass, but I would have expected better security from AT&T. If you're going to take the place to be a reactionary "victim" then maybe you should ask yourself who victimized you first -- AT&T perhaps? If AT&T left your car unlocked, would you still blame the thief?
Join the Slashcott! Feb 10 thru Feb 17!
USA #1
What fine does AT&T get for leaving the door open? FAT&T
so you sell cocaine and have a gun on you and get less time? sweet.....
He didn't walk through the door, there was no "entry" as there would have been if he had spoofed a login.
Instead, he knocked on AT&T's front door and asked for information on people X, and was given it without any kind of challenge.
Asking for something to which you are not entitled is not illegal. The correct answer from AT&T should have been "No", or at least "Prove to us that you are persons X". Instead they just gave the info away freely.
The day before sentencing, he did an AMA on Reddit, and in that he said that he was sorry that he did not do more harm, and said the next time he will do much more harm.
The prosecutors saw this and brought it up at the sentencing hearing, and it is likely a factor in why he got a relatively long sentence.
I hacked the library checkout system by reverse engineering the system of who has previously checked out the book. This unbelievable technical exploit was performed by reading the lines above my name on the sticker inside the front cover of the book with my eyeballs.
Sounds just as stupid as saying this guy hacked anything.
Whatever happen to company responsibilities? Blame someone else is the new law? How about fixing the f***ing problem?
If anyone should get 41 months, it's the ATT folks responsible for letting anyone with an IP address pull the private data out of a public server.
We have convicted rapists and murderers that seem to get off with lighter sentences than people that do anything that involves a computer these days, even if the results don't hurt anyone and only embarrass a company or some govt. personnel.
Show me the numbers and then we can talk.
Real stats for the rapist and murderer. Real stats for the geek whose computer-related crimes earned him hard time.
In the American federal system, crimes of violence are almost always prosecuted under state law.
Execution List 2012 Each state on this list, for example, has executed between 1200 and 1300 death row inmates since 1976.
Federal Executions 1927-2003: 23.
The DOJ's Computer Crime & Intellectual Property Section archives its press releases of charges and convictions dating back to 2000. It's a useful corrective to the notion that the geek's crimes are victimless. That he hasn't hurt anyone.
CCIPS Press releases
Obviously someone has been punished for no crime at all. He did NOT hack into anything, he merely iterated they public API.
The Land Of Revenge.
Strike back by means of strongly anonymous hacking. The tools are out there. Don't brag. Hit hard at let the scumbags do the messaging.
That this is the same weev that took control of the GNAA after 'timecop' fell out?
What exactly is a public database? and why would at&t be storing customer information in it?
I once worked as the I.T. Director for the State AG's office. I coached a lot of prosecutors on technology issues. But on the federal level it is different. It's more isolated, knowledge sharing is almost frowned upon.
But in my view, a prosecutor who has more than a passing knowledge of technology and infosec is a better prosecutor.
Seriously, imperfect analogies are not doing any good. This is a computer crime and, assuming you accept they should be outlawed, you must understand that the law against computer crime has a very particular wording aimed at specific forms of behavior (exploiting vulnerabilities to gain unauthorized access, writing viruses etc.). Those actions do not have meat space equivalents, and it's wrong to attribute your own moral intuition to the lawmaker who wrote the computer crimes act.
Here are a few pointers for a valid discussion that does not involve cloudy analogies:
1. The laws against hacking are too broad, they easily catch socially positive behavior such as searching and reporting vulnerabilities
2. Conversely, the laws are good, but he didn't break them, because the way he gained access stopped short of hacking.
3. The laws are good, he hacked, the prison term is or isn't adequate for the social harm he caused
Indulge me in a little hyperbole: for a friend of mine, hacking AT&T was a death sentence.
Lance Moore was involved with LulzSec, foolishly no doubt. As an AT&T technician of some sort, he acquired and subsequently distributed some internal corporate documents. The Justice department is liable to be a more accurate source of the specific complaints. He was caught. The FBI seized its opportunity to bring the hammer down. I've seen various figures given for the amount of jail time he was facing; somewhere between five and thirty. He was found dead by his own hand on February 24 of last year. His crime has by now likely been forgotten by all that were involved with it.
Sixteen other people were arrested the same day that he was arrested. I don't know their stories. The reader may judge whether justice was served.
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
A competent jurist would have nullified the verdict, having found the law injust.
We NEED jury nullification to be wide-spread and stop this shit.
Two high school kids just got 1 year each for raping a drunk 16 year old at a party (where people actually filmed and took pictures of it happening)..
It is not a determinate sentence.
Ohio Youth Services can keep them locked up until they are 21, if they think it is appropriate. They will then become registered sex offenders ranked by a judge according to the threat they appear to present at that time. Two teens found guilty in Steubenville rape case
Also, the average computer hacker is likely to get raped within 41 hours, never mind 41 MONTHS! (3 YEARS, 5 months)
He's gonna get it on the inside. He'll be better off than the child molesters, but that's about it. Hacker = easy prey.
Hans Reiser was a hacker and also a killer, and he even got beat up in prison. This guy is just a hacker.
Just because it CAN be done, doesn't mean it should!
.... it should mean that it is OK to take whatever is inside the house.
Is the punishment excessive and ignores another problem? YES.
Do I feel sorry for the hackers?? Not one bit.
Don't fuck with the phone company.
... US will be deprived of all hackers, nobody will dare to probe systems for security for fear of exorbitant punishment, the country's infrastructure will be vulnerable and in serious danger. Further, the curiosity of young people is turned away from computer systems at a time when we are suffering under a crucial shortage of computer nerds. If there ever is a next war, it will have a strong cyber component and the US will be so painfully inadequate it will feel like slaughter by the Russians and/or Chinese. Those prosecutors should be shot for treason as a matter of national cybersecurity.
If programs would be read like poetry, most programmers would be Vogons.
It's more like taking a photograph of your house from the fence line. Serves you right for having the curtains open and no pants on at the time.
Thus we've got a criminal conviction of the guy that caught AT&T with their pants down. The difficult question is should it be a crime or not and does it really deserve such a harsh sentence - it looks a lot like a head on a pike to discourage others to me, so more "might makes right" than anything you'd wish for in a western democracy.
The U.S. government is EXTREMELY CORRUPT. It has become a government for the rich and powerful.
if their pricing and quality (or lack thereof) weren't enough.
It's the least we can do to preserve the western civilization.
My first reaction to this verdict was that a crime had not been committed, but the more I think about it, the less certain I am. I have come up with an analogy to help me sort it out:
A business writes the names and personal information of its customers on an ourside wall. In order to access the wall, a person must first walk down an alley. The alley leads directly to the street and there is not any security or signs indicating if the alley is public or private. I walk down the alley and see the data. I return later, with a notepad, and record all the customer information. I turn over the information to a local newspaper. It turns out the alley was private property.
Have I committed a crime? If yes, which crimes and what punishment could I expect?
As with so many freedoms, lack of proper understanding leads to all sorts of trouble, cost, harm and ultimately death. I remember during the dawning of GNU, playing with these new innovations before the ludite lynch mobs, when the word "hacker" was only known by the uber informed few. As with everything that becomes popular we must accept a certain level of legislation but things are completely out of control and innovation is paying the ultimate price. The prosecutor on this case should be barred from practicing law at the least, however, war mandates a much more final outcome. I have tapered my ./ visits as of late because it continues to deliver articles that really piss me off. I send letters to the talking heads daily, I support open source everything but have that looming feeling that this is going to turn violent before we see a solution because there is virtually no place to direct ones rage / effort that has any effect what-so-ever.
That was a major oversight on the part of ATT. Whether the defendant's actions were malicious or not, ATT is at fault here. There is NO EXCUSE for their publishing all of that private information freely on the internet. ATT are NOT victims...they are perpetrators even if it is through their own incompetence. The fact that they pressed charges and that this sentence has gone this way has ensured that I will not use ATT as a carrier in the future...wow, what scum bags!
but anyone can plainly see this man is guilty because he does understand compyooters!