41 Months In Prison For Man Who Leaked AT&T iPad Email Addresses

In 2010, querying a public AT&T database yielded over 114,000 email address for iPad owners who were subscribed to the carrier. One of the people who found these emails, Andrew 'weev' Auernheimer, sent them to a news site to publicize AT&T's security flaw. He later ended up in court for his actions. Auernheimer was found guilty, and today he was sentenced to 41 months in prison. 'Following his release from prison, Auernheimer will be subject to three years of supervised release. Auernheimer and co-defendant Daniel Spitler were also ordered to pay $73,000 in restitution to AT&T. (Spitler pled guilty in 2011.) The pre-sentencing report prepared by prosecutors recommended four years in federal prison for Auernheimer.' A journalist watching the sentencing said, 'I felt like I was watching a witch trial as prosecutors admitted they didn't understand computers.'

Good

[kamapuaa]

Know I'll get modded down for going against Slashdot groupthink. But what is the argument suggesting? "It all happened on a computer, it shouldn't be prosecuted?" Stealing private information and releasing in publicly isn't just obviously illegal, it caused grief for 114,000 people.

Even if AT&T has a shitty security system, that doesn't make it legal to break in. I'd love to see Slashdot do more mundane crimes. Maybe the home had a sign saying "beware of dog," but the dog was actually at the vet, so the robber was just publicizing a security flaw.

Re:Good

[1729]

He didn't "break in". He sent requests to a publicly-accessible web server, and AT&T sent back private information. This wasn't hacking, or even a DOS attack. AT&T is at fault here.

Re:Good

[MetalliQaZ]

AT&T publishes the addresses on the web, even though they aren't advertised, they are essentially free to anyone who knows where to look.

Guy finds it, attempts to blow the whistle

Guy is criminal, AT&T takes no liability

Justice!

Re:Good

[Mullen]

As someone else pointed out, all he did was request data from a public server and AT&T sent it to him. Also, he got 41 months for forwarding 114,000 email addresses to news site, which is overkill. Had he physically broke into an AT&T office and took the email addresses from someone's desk, he would have received less prison time.

He should have been given community service at the most, and then got an award for exposing a flaw from AT&T.

Re:Good

[Midnight_Falcon]

You're missing some things here:

The Principle of "Full Disclosure" -- Meaning, companies often don't fix vulnerabilities in a timely fashion until the risk is exposed by making the vulnerability public. This principle has been important in the history of and current landscape of information security, and many people think its effects have been a net benefit.

Harm -- how were these people exactly harmed by having their email addresses revealed? If someone posted my email and iPad MAC on a web site, would I be so upset I'd want him to go to jail for multiple years..family not have income, kids not see their father, over that?

Profit -- Really, these people did it for the reputation and points amongst the hacker community -- once a noble endeavor that drove the United State's technological evolution (how much did Wozniak do just to get points among his friends?) -- now something that can apparently be risky business.

It's easy to see, especially in the aftermath of the Swartz case, that four years in jail for this rather petty act seems like disproportionate punishment for a crime which I think would be worthy of no more than a couple months of a sentence.

Re:Good

That. It's a flaw that AT&T never would have addressed without public pressure. Further, Mr. Auernheimer did not release private info to the public -- the news agency to which he released the then already-public information is responsible for further publicizing it.

Bottom line: it is ludicrous-speed absurd to prosecute somebody for publicizing already public information. If a newspaper accidentally prints the names and addresses of its entire subscriber base in the classifieds, and I call them to report it, can I then be held accountable for "releasing" the information?

Re:Good

[coniferous]

Actually, they are both at fault here.
I don't see a huge effort by Andrew to contact AT&T and say "uh, guys, you have a huge problem here".
It's very easy to percieve his actions in a malicious way.
Not that AT&T didn't goof, but this was the wrong way to address it.

Re:Good

[stephanruby]

Know I'll get modded down for going against Slashdot groupthink. But what is the argument suggesting? "It all happened on a computer, it shouldn't be prosecuted?" Stealing private information and releasing in publicly isn't just obviously illegal, it caused grief for 114,000 people.

He didn't release it publicly. He released it to a news site (which did the responsible thing).

It didn't cause grief to anyone, but AT&T.

Re:Good

[jxander]

Meatspace analogy :

If a bank didn't have a door on it's vault, or any forms of security whatsoever, would you walk in and take out all the money? Even if you proceeded directly to the local police department to report the security flaw and deliver the unguarded money, you'd find yourself in quite a bit of trouble.

Re:Good

[1729]

Nearly everything Weev does is malicious, but the question is: is it (or should it be) illegal? He was convicted of identity fraud and "conspiracy to access a computer without authorization". Think about that: requesting unprotected publicly-accessible webpages is "access[ing]" a computer without authorization". By that standard, anyone who uses the internet could be convicted of a crime.

Re:Good

It's his actions after breaking in that are being punished. They knew what they were doing was wrong, and could've easily alerted AT&T and the press without harvesting thousands of records.

Re:Good

[Pogie]

I'd mainly argue that the punishment is grossly inflated compared to the "crime". The individuals in question submitted properly formatted GET requests to a public website AT&T provided, collecting two pieces of information: The unique identifier for an iPad and the email address of the user who registered the iPad. They didn't get real names, phone numbers, addresses, social security numbers, etc. They didn't spam the users' inboxes. They didn't attempt to spoof the ICC-ID's to get unregistered iPads onto ATT's network. There's about a bazillion harmful things they did not do.

But they were sentenced to 41 months in prison? That seems disproportionate.

And from a technical specification, they didn't do anything unusual at all. I'm curious how much of their sentencing depends on the difference between sitting in front of a browser and typing in 100,000 URL's by hand to get the data v. writing some script to loop through and do it automatically.

Anyway, to your point: 'Stealing private information and releasing in [sic] publicly isn't just obviously illegal, it caused grief for 114,000 people". My responses would be:
a) email addresses are arguably not private, and to the extent that email addresses are private information, AT&T provided them on a public website.
b) I wasn't aware my iPad had an ICC-ID, but even if that's private information (and useless to anyone not in possession of my iPad, since it's solely used for validating my device when connecting to AT&T's 3G network): again, AT&T provided the information on a public website.
c) releasing the information publicly is certainly rude, but I'm not sure why it should be _obviously_ illegal.
d) what grief was caused to those 114,000 people?

The only part of the sentence that makes some sense to me is the fine. AT&T does have an argument the release of this information harms their corporate reputation (as it should. Shame on them for leaving this out where anyone could grab it), but I would think that harm would better be remedied in civil court, rather than a criminal proceeding.

Re:Good

[jd659]

A better analogy: A bank has a web server that takes person's name and returns that person's SSN. A "hacker" sends your username and gets your SSN. He does that for several people from the phone directory. Hacker goes to prison for the BANK'S FAULT of exposing SSNs.

Re:Good

[cide1]

He didn't walk into the bank vault, the bank vault threw money at him, and he didn't throw it back. Very big difference.

Re:Good

[1729]

Meatspace analogy :

If a bank didn't have a door on it's vault, or any forms of security whatsoever, would you walk in and take out all the money? Even if you proceeded directly to the local police department to report the security flaw and deliver the unguarded money, you'd find yourself in quite a bit of trouble.

Here's a better analogy: you send the bank self-addressed stamped envelopes, and they willingly send private information about their clients back to you in those envelopes.

Re:Good

[erroneus]

The crime wasn't breaking in (as this has been repeated over and over again), it was disclosure.

Part of the problem is that the prosecutors are simply ignorant as to what they are prosecuting. So any "evidence" presented was done without understanding of what they were asserting. That's quite disturbing on its own.

The "offense" isn't necessarily hacking, because that is not what happened (though it is 'believed' to have happened). What he did was collect the information and present it to the media to bring light to this otherwise serious breech -- a breech that was in active exploitation by others at that time. So, the crime was putting light on the problem.

There is a valuable lesson to be learned here. If you disclose, do it anonymously. If you don't, someone ignorant will try to prosecute. What's more, if you try to report it to the compromised party (such as AT&T in this case) they will still likely have you charged with some computer crime as has been demonstrated in the past. The only option left is fast and anonymous disclosure and to HOPE that black hats don't abuse the information before it is fixed. (We know this won't happen.)

So, don't tell AT&T their pants are down or they will blame you for taking their pants down. Instead, whisper it to other people and let the whole world laugh at AT&T before they can respond. We know that keeping the secret "secret" will not help the public servicing entity because whether someone speaks out or not, the wrong people WILL know of the problem. The right people (the public servicing entity) need to be notified and made aware of the problem(s). But there is significant risk to the messenger. So that message must be disclosed anonymously and publically. What other choice is there?

AT&T... you have just painted yourself and all other large litigious companies into a very awkward and even dangerous position.

Re:Good

[MiniMike]

Not a good analogy, as AT&T didn't lose their database, just exclusivity of it (i.e. now everyone else also has it). A better meatspace analogy might be if a store employee left open a door to an office, and someone walking by took pictures of next weeks sale items (which stores typically don't want released early) and sent that info to a newspaper. The store has not lost any items, just the info about them.

Re:Good

[coniferous]

Based on the context it was more then just accessing publicly available data. It's not as if he clicked on an link and went "Oh, look, a bunch oh e-mail addresses!". There was effort involved into getting to that list.

That being said, even if he did run into a bunch of e-mail addresses by being in the wrong place at the wrong time.. e-mailing that list to someone and going "OMG LOOK AT THIS" was proof that he knew the seriousness of the list he found. It cannot be argued that he did not know what he was doing.

Re:Good

[hazah]

What did AT&T get fined?

Re:Good

[malakai]

First off, the whole reason these guys got whacked by the judge is because they did the standard script-kid thing and went onto IRC and boasted about it, and talk about how they were going to take down AT&T, and make a name for their security company ( Goatse Security, obvious play on goat sex troll )

He didn't "break in". He sent requests to a publicly-accessible web server, and AT&T sent back private information. This wasn't hacking, or even a DOS attack. AT&T is at fault here.

By that rationale, any request on a web server via the HTTP GET or POST that could escalate privilege or divulge private data should go unpunished. You realize the number of vulnerabilities accessible via a well crafted GET URL? XSS, SQL Injection, tons of stuff. Ignore the fact HTTP is even involved here. This is no different than finding a weakness at any other level of the OSI model, the fact people can easily understand HTTP GET's doesn't make them any less serious and dangerous to an attacker.

Honestly, this has been argued over the Ping of Death back in the day. I mean, your simply sending an ICMP packet via a ping command, it's not like your hacking.

In the end it's about context. Exploiting a weakness is by definition hacking. Just because the hack isn't enigmatic, doesn't mean it's not a hack. Look at Jon Draper and a plastic whistle that happened to hit 2600hz easily.

"But it's just a guy blowing a whistle into a phone, it's not hacking".

These guys crafted a specific HTTP GET request that returned private data. The key in this request was generated by them based off a known flaw in ATT's systems (using ICC-ID as a semi private key). Then they shared that data with a news organization.

Sure, those of us in the industry can shake our head at how stupid AT&T was, but at the same time most of us recognize the line these two guys crossed. It's one thing to send an e-mail to AT&T and copy a security mailing list with a simple example, it's another to write a program and automate the extraction of over 120k e-mails and then package the data and send it to Gawker, while boasting about it on IRC channels.

Auernheimer likened his actions to walking down the street and writing down the physical addresses of buildings, only to be charged with identity theft.

I could make the same argument for randomly trying passwords against accounts. "I'm just checking to see if this key happens to work in this door...."

Re:Good

[Psyborgue]

And would AT&T do anything about it? What about the next security hole? Public embarrassment does a lot more to cause the necessary heads to roll than trying to do AT&T's jobs for them. They were incompetent and irresponsible with customer data and as far as i'm concerned, handing the data to the press was the absolute right call. How else to punish and teach?

Re:Good

[TemperedAlchemist]

Give away emails to demonstrate a security flaw? 41 months in prison.

Rape, molest, and humiliate a sixteen year old girl? 12 months in prison.

Justice.

---

I love you, America.

Re:Good

[BitZtream]

No, he made explicit requests for information using trial and error and reverse engineering to find a location that would divulge sensitive information to him.

It didn't throw shit at him, he went digging for it.

Re:Good

1. Set up web site with TOS disallowing access for any reason.
2. Trick lawmakers into accessing your site.
3. ???
4. Profit!

Re:Good

[Hatta]

But what is the argument suggesting?

We are suggesting that requesting an URL is not a crime.

Re:Good

[cayenne8]

Even with all you said, the penalty for these 'computer crimes'....is WAY off base as far as matching punishment with crime.

We have convicted rapists and murderers that seem to get off with lighter sentences than people that do anything that involves a computer these days, even if the results don't hurt anyone and only embarrass a company or some govt. personnel.

Re:Good

[1729]

Isn't a key element of the legal case that he also retransmitted the private information? He did not merely receive it.

From the court filing, it appears both charges are predicated on the notion that sending GET requests to an unprotected, publicly-accessible web server constitute unauthorized access under Title 18, Section 1030(a)(2)(C).

Re:Good

I would argue that by making the information accessible via a public API and doing nothing to verify the requester's identity, that is exactly the same as leaving your gold in the street.

Re:Good

[1729]

He didn't "break in". He sent requests to a publicly-accessible web server, and AT&T sent back private information.

Like sending "requests" to a publicly-accessible ATM using cards with other people's information on them, and then taking the money the bank "willingly" gives you.

Yeah, I totally see the difference between that and "breaking in" to an ATM.

No, that would be like to trying to impersonate people by guessing their passwords. In Weev's case, there was no authentication to circumvent.

Re:Good

[jeffmeden]

He didn't "break in". He sent requests to a publicly-accessible web server, and AT&T sent back private information. This wasn't hacking, or even a DOS attack. AT&T is at fault here.

He wasn't just looking to get to his att.com home page and happened upon a list of email addresses. Getting at those addresses took some deliberate work on his part (a big part of the law is not so much about perceptions of ease/publicity, but in perceptions of *intent*). If you leave your windowshades open a little at home, and someone comes along outside and peeps inside to watch you doing [insert something from imagination here] it is the "peeper" who is committing a crime, not the "peep-ee". In this case Mr. Auernheimer did intend to obtain addresses that were *only going to be exposed to someone deliberately looking for them* and therefore he is afoul of the law. Now, the efficacy of this punishment for such a crime is debatable, but you can't use that as an argument that what he did wasn't illegal, or that such a law has no place.

Let's see who gets my karma first, the groupthink gestapo or the 2nd graders who want to laugh at peepee.

Re:Good

But he didn't trespass -- he didn't break any laws or even conventions regarding the distinction between public/private property in requesting and being provided this information. If the pile of gold in your unfenced yard was on a conveyor that could be activated from the street, I think you would be hard-pressed to convince anyone that you intended the gold to remain in your yard. Likewise, spewing out customer details in response to a simple sql query to a public-facing DB server, which requires absolutely no circumvention of existing security measures, is difficult to paint as an earnest attempt to make a public/private delineation, and thereby prevent even accidental leakage.

As has already been pointed out, the key charge here is "access[ing] a computer without authorization." Since the publicly-facing DB server was not in any sort of secured or even posted enclave, it can only be presumed that the court finds the mere act of interfacing with this system a crime for no reason other than that AT&T has established the server as "private" after-the-fact. That opens up a terrifying door in that any service provider could suddenly declare you persona non grata retroactively, and bring similar criminal charges against you. While that's certainly a leap, it's not a big one...

Re:Good

[CanHasDIY]

I don't see a huge effort by Andrew to contact AT&T and say "uh, guys, you have a huge problem here".

Then you have never tried to contact them about... well, anything.

Not even being snarky, just relating my own experiences; I have to deal with AT&T every day, and getting them to so much as acknowledge a problem on their end, let alone do anything to fix it, is similar to attempting to snorkle to the bottom of the Marianas Trench.

Re:Good

[djdanlib]

It's not a perfect situation where there's a black-and-white answer. Think about the implications if the court rules PII / contact info about those people is publicly available information. EVERY marketer everywhere would fall all over themselves to get that information and add it to their databases, maybe even package and sell it, because it would have been called "publicly available" by a court of law. Can you imagine how awful that would be? Whereas, now, there is a stigma of 'a guy got hard time for compiling this list'.

Re:Good

[Synerg1y]

Well... it would more like a farm... you'd enter my 100 acre farm, drive around and randomly spot exposed gold that I did not intend to expose to you, but forgot to bury yesterday because aunt laura swung by. No signs differentiate the gold's space from any other, but you clearly know you're on my land and you know that gold is valuable. I never argued the street's case, besides that I have no expectation of security around the gold on the street, at&t's network would be a private residence owned by at&t.

Re:Good

[jeffmeden]

A better analogy:

A bank has a web server that takes person's name and returns that person's SSN. A "hacker" sends your username and gets your SSN. He does that for several people from the phone directory. Hacker goes to prison for the BANK'S FAULT of exposing SSNs.

It's only the bank's fault for breaching a specific law regarding protection of private information by certain security means (strong authentication, encryption, etc) but if the hacker did anything but flip on his computer (such as construct a program, no matter how small or simple, that specifically talks to the open app on the web server) then he too is guilty of misuse of a computer system under current law.

Debate the efficacy of the law, punishment, etc. all you want, but this is how the current law works, there is no room for debate on that.

Re:Good

[djdanlib]

Even better analogy: Someone looks through the windows of your house with binoculars and copies your handwritten family phone directory off your fridge.

Re:Good

[betterunixthanunix]

Getting at those addresses took some deliberate work on his part

That "deliberate work" amounted to this:

Weev: "Can I have the email address for whoever is associated with this number?"
AT&T: "Sure, it's xxx@yyy.zzz!"

Now that's a criminal mastermind hacker if I ever saw one!

Re:Good

[Golddess]

e-mailing that list to someone and going "OMG LOOK AT THIS" was proof that he knew the seriousness of the list he found. It cannot be argued that he did not know what he was doing.

And if a student finds a gun on school grounds and brings it to the attention of a teacher, that is proof that the student knows the seriousness of that situation. But I fail to see how that justifies throwing the book at the student.

Re:Good

[jeffmeden]

Meatspace analogy :

If a bank didn't have a door on it's vault, or any forms of security whatsoever, would you walk in and take out all the money? Even if you proceeded directly to the local police department to report the security flaw and deliver the unguarded money, you'd find yourself in quite a bit of trouble.

Here's a better analogy: you send the bank self-addressed stamped envelopes, and they willingly send private information about their clients back to you in those envelopes.

If those envelopes were in any way a misrepresentation of your legal desire to communicate with your bank (such as an incorrect identity, overstated request, etc) then you, the sender, are guilty of mail fraud. Do not pass go, do not collect $200. The legal system seems to be pretty mysterious to a large part of slashdot...

Re:Good

[Synerg1y]

Yes and no, you can trace a rapist to his/her victim, but you can't really assess the damage done by publishing 1k+ email addresses. What if one of those email addresses is an old lady that gets scammed by a nigerian prince? What if it's 100 of those emails that that happens to? Should the guy who provided the means for that to happen even be liable? Could it have happened anyways?

I will say this though, innocent before found guilty, if that was true, then the damage would be 0 as it can't be directly linked to criminal behavior.

Still, he wouldn't have gotten in trouble if he didn't leak the email addresses, or at least not himself, that kind of threw out any i don't know what i'm doing or I had no idea this would happen type arguments.

Re:Good

[PRMan]

How about this analogy:

Your doctor tells you your medical records will be posted in the front window of a white house at 123 Main St. You notice that the street is full of white houses. Just out of curiosity, you go to 125 Main St and see someone else's medical records. 121 Main St., the same thing. In fact every house on the block has a different person's medical records. You see a bunch of other people on the street, going to get their medical records from their respective houses. You joke out loud that you could make a lot of money selling everyone's medical records to some guy in the Ukraine. You tell the hospital that this is a lousy way to communicate medical records.

You get 41 months in prison for viewing everyone's medical records (in plain view) and for your "intent" to sell them to some guy in the Ukraine.

Re:Good

[jeffmeden]

What did AT&T get fined?

What law did they break? Please be specific. The law Mr. Auernheimer broke was rather specific, and his punishment was within the precedent of past use of that law.

Sure, you can argue that there should be laws about stewardship of quasi-private information like email addresses, but to this date there are none so it makes it a bit hard to fine them for something.

Re:Good

[coniferous]

Yeah, but he didn't bring "the gun" to a teacher. He brought it to a fellow student.

Re:Good

[ais523]

If you leave a pile of gold in the street, then legally, people shouldn't steal it. Although you'd be naive to expect it to still be there in the morning, if you found out who took it, you could legally get it back. (You'd also be liable somewhat for blocking the street, but that's a separate issue.)

Re:Good

There was precisely zero reverse engineering required for anyone with an IQ above room temperature, and the "trial and error" amounted to nothing more than trying one address after another with point-and-click port scanners.

For the old fogies: he dialed every phone number assigned to your local bank until he found the desk of a moron who would answer every question posed without asking for either authorization or identification, even if it included personally identifiable information for the bank's customers.

While the activity is dubious and the perpetrator is obviously a Bad Man (TM), there is nothing illegal about calling and asking for information. Providing said information, on the other hand, violates innumerable consumer protection laws and PII handling regulations applicable to various industries. The fact that the "hacker" in this instance is facing jail time while the "victim", AT&T, suffers not even a slap on the wrist, is the ultimate perversion of justice. Anyone who needs more proof regarding who and what actually runs this country simply isn't paying attention.

Re:Good

[Hatta]

Damn. Guess I better switch hobbies.

Re:Good

[betterunixthanunix]

If a bank didn't have a door on it's vault, or any forms of security whatsoever, would you walk in and take out all the money?

Translation: a pile of money is sitting out in a field, nobody is guarding it.

Even if you proceeded directly to the local police department to report the security flaw and deliver the unguarded money, you'd find yourself in quite a bit of trouble.

Translation: how dare you do the right thing without permission? It's not your job to do the right thing, you should just do your own job and let us do ours.

Re:Good

[fatphil]

He did ask before they gave it to him though. It wasn't thrown at him unrequested.

However, money is an unneccessary ingredient here - all he got was information. The only people who will give an analogy involving money are those who want to equate what he did with stealing. But that is nothing but misleading sophistry.

He went up to the reception desk and said "can I have the name and address of client 1000000000 please?" which they then gave him. He then said "and for client 1000000001 please?" which then then gave him. Etc.....

Re:Good

Apart from the fact that there was no misrepresentation of any kind and that he was not found guilty of fraud, you're right.

Re:Good

[0100010001010011]

Stupenville rape case. The raped an unconscious girl. Drug her between parties. Tweeted about it.

Serving a minimum of a year. "Could" be in jail until they are 21, but unlikely.

Re:Good

[ByOhTek]

Well, he could have given them directions on how to do it, rather than the data.

However, yeah, it's still AT&T that was stupid. Conversely, if a store let you rent (or simply loaned you) any object inside of it, including their business books, would it be equally illegal for you to photocopy their client listings and send those to the news media? It amounts to the same crime - except that this variant would take a bit more money and effort.

Re:Good

[guttentag]

Auernheimer was found guilty, and today he was sentenced to 41 months in prison

And how many months in prison were AT&T executives sentenced to for making the email addresses publicly available?

'Following his release from prison, Auernheimer will be subject to three years of supervised release

And who is supervising AT&T to ensure it doesn't do this again?

Auernheimer and co-defendant Daniel Spitler were also ordered to pay $73,000 in restitution to AT&T.

And how much did AT&T have to pay in restitution to the customers who were actually harmed by AT&T's actions in this situation alone?

We need a congressional inquiry into AT&T's practices. AT&T has put itself in a position where it breaks the law, whistleblowers get prison sentences and AT&T makes a $73,000 profit, while the people AT&T harmed in the first place are still harmed (once their email addresses were out there, the genie wasn't going back into the bottle).

AT&T does this stuff all the time. Last year AT&T allowed some third party that sent me a text message to "cram" a recurring charge onto my monthly phone bill, systematically buried the charge to hide it from me (when already looking at my "detailed statement" I had to click on five links just to find out what the service fee was for), made me log into a separate Web site just to cancel the recurring "service," and presented me with an error message saying they could not complete my request when I finally clicked the submit button on the form to cancel the service. When I called them, they gave me all kinds of BS stories to claim that I requested the charge, ranging from "your kids must have gotten your phone and signed you up for the service" to "we have a log file that shows a request for the charge coming from your device" (and then absolutely refused to show me said log or even read it to me over the phone). It wasn't until I indicated I would be writing to my Congressman and that I knew the term for what they were doing ("cramming") that they agreed to reverse the charge. AT&T needs a watchdog.

Re:Good

[ais523]

There are laws against what AT&T did in the UK (if you're storing information about a person that's sufficient to identify that person, you can't make it public without their permission, although you can obtain their permission when you obtain the information). Ones that are considered important enough to be taught in schools.

Re:Good

I won't argue morality, break ins aren't good of course. My point isn't any attempt at distracting from this fact.

That said, didn't the police officer who executed that man a while back on the BART get 2 years for accidental manslaughter or something? This guy spams some email servers and breaks into an office and he almost gets double that. Justice here seems to be more a function of protecting the politically connected rather than of universal rules that apply consistently to everyone. The weak and powerless are those least protected under these laws(my anecdotal example is not isolated, this is how things usually go). It seems like this violent institution that can kidnap and jail and torture people in rape rooms of prisons is better suited to convincing people of its legitimacy by preaching order rather than actually practicing order. If anything, I would describe these arbitrary and backward mandates as chaos. The whims of rulers to decide the fate of a man for petty wrong doing as described in this article is about as destabilizing a thing one could ever do. Only degree separates the chaos of our current system with say the total chaos of life in north korea, where barely anything makes sense.

Re:Good

[gmuslera]

Almost by definition, you can't "steal" (unless we are talking about taking out something and not leaving the the original copy) something that is public. Is not your side the one in fault. Do a google search for files that have sensible information and shouldn't be public, you will find plenty of them, and is not your fault, or Google's, is from the people that are actually publishing things, being aware of it or not.

A real life example is if i offer you something that you accept, and then call the police claiming that you stole it if you say what i did.

Re:Good

[Trepidity]

Yes, in particular they aren't claiming that the transmission would be independently a crime. That's mainly because the U.S. doesn't really have data-privacy laws with significant teeth, so in general you can transmit whatever private information you want about people. The only crime would be the "unauthorized access" to gain it.

Re:Good

[Trepidity]

What if it had an ATM on the outside of the building that dispensed money without requiring a debit card or PIN?

Re:Good

[fatphil]

> By that rationale, any request on a web server via the HTTP GET or POST that could escalate privilege or divulge private data should go unpunished.

Not at all! The site leaking the information should be held responsible, and if it's clear punishment is due, they should take it like a man.

> These guys crafted a specific HTTP GET request that returned private data.

No craft was involved. They were handed that GET request by the server, in order for their browser to later resolve it for their own legal use. All they did was resolve trivial variations on it. Admittedly, that might be considered "craft" by the incompetents presiding over the court, but it's no higher tech than sharpening a stick.

And if the data was *private* it shouldn't have been accessible to arbitrary clients without secure identification. AT&T made the private data public.

Re:Good

[dmbasso]

Indeed, but I guess it wouldn't make a difference if he just showed how to do it, instead of actively forwarding the addresses.

But what bothers me is not that he's being punished, but the severity of the punishment. 41 months in jail? Please, remind me how many months in jail did the Santander employees responsible for money laundering for terrorists get... oh, wait, I remembered, they didn't even get prosecuted, because rich people can screw everybody freely.

Re:Good

[fatphil]

> Part of the problem is that the prosecutors are simply ignorant as to what they are prosecuting. So any "evidence" presented was done without understanding of what they were asserting.

But she looks like a witch!
http://www.youtube.com/watch?v=yp_l5ntikaU

Re:Good

[QuantumRiff]

Two high school kids just got 1 year each for raping a drunk 16 year old at a party (where people actually filmed and took pictures of it happening).. http://www.sheboyganpress.com/viewart/20130318/SHE0101/130317029/Two-Ohio-high-school-football-players-convicted-raping-girl-16

and this guy gets more than 3 times that for mentioning that a web site will give out people's private email address after AT&T did nothing about it?

Re:Good

[SlippyToad]

Kind of a shitty analogy, since we're not talking about a vault, but a public web server.

But nice try. It's just that your analogy completely blows goats.

Re:Good

[jeffmeden]

"Basic security" seems equally mysterious to you...

--Matt Jones

Basic security != computer crime legislation...

But ask anyone on slashdot and of course, laws should be written accommodating for ones ability to write firewall rules.

Re:Good

[jeffmeden]

Getting at those addresses took some deliberate work on his part

That "deliberate work" amounted to this:

Weev: "Can I have the email address for whoever is associated with this number?"

AT&T: "Sure, it's xxx@yyy.zzz!"

Now that's a criminal mastermind hacker if I ever saw one!

There isn't really a specific sentence for "criminal mastermind" when it comes to computer crimes, so the judge was in no place to make an exception...

Re:Good

[flimflammer]

Shitty bank? Absolutely. That doesn't absolve the other party.

Re:Good

[flimflammer]

That's great and all, but lets focus on the country this actually happened in. What laws did AT&T break in the US?

Re:Good

[Golddess]

I thought he brought it to a news agency.

Re:Good

[matrim99]

This would be a great analogy if your home is located on AT&T's property, weren't ever allowed to go to your home (but you could view it and AT&T's discretion), and your house was made entirely of windows.

Re:Good

Because they were minors one of them got 1 year and up to age 21 and the other one got 2 years with the possibility of serving til they age of 21. They also both have to register as sex offenders for the rest of their lives which in some states means they cant live within so many feet of a school or church, can never have a job where they work with kids, can never own a firearm, can't be a cop etc.

Not that they don't deserve it, they do, but the idea that they are getting off scot-free is not correct.

Re:Good

[Jane+Q.+Public]

"... you can't really assess the damage done by publishing 1k+ email addresses."

He DIDN'T publish the addresses. He sent them to the newspaper as proof that AT&T was screwing up. If the newspaper published them, you can blame the newspaper. It sure as hell wasn't his fault.

Re:Good

[LordNimon]

By that rationale, any request on a web server via the HTTP GET or POST that could escalate privilege or divulge private data should go unpunished.

Yes, that's correct. We're not talking about a (D)DOS attack. This was a normal request/response. The owners of the servers should be 100% responsible for the security of those servers in such situations.

Re:Good

[coniferous]

And a news agency is?

Re:Good

[StuartHankins]

I would trade all my good karma to substitute for them to have bad karma. Because we haven't punished them sufficiently, it lowers the threshold for future issues such as this.

On the other side, if you punish rape as severely as murder then they will just kill the girl afterward.

But this punishment? It's a travesty. One day it could be one of my daughters.

Re:Good

[Runaway1956]

Group think. Here's a little group think for you.

Kill a man. Or a woman, I'm not prejudiced here. Kill someone. Get caught, go to trial, get convicted. You'll likely do about five years in prison. Five years, for a life.

Alternatively, go poking around an AT&T server. Request some data. If the data comes back to you, tell people about it. Get caught, go to trial, get convicted. You go to prison for four years, plus pay AT&T a couple year's wages.

Group think asks - why is a little bit of data as valuable as a person's life?

WHY IS OFFENDING A CORPORATION PUNISHED AS SEVERELY AS COMMITTING A MURDER?!?!?!

Nothing was damaged, broken, destroyed, or killed. A company's reputation may have been slightly tarnished. I might understand this sentence had AT&T's investors lost many billions of dollars. I WOULD understand the sentence had the "perp" profited by millions or billions of dollars. But, that is not the case here. AT&T took offense over something that should not have been offensive.

Re:Good

[Yakasha]

e-mailing that list to someone and going "OMG LOOK AT THIS" was proof that he knew the seriousness of the list he found. It cannot be argued that he did not know what he was doing.

And if a student finds a gun on school grounds and brings it to the attention of a teacher, that is proof that the student knows the seriousness of that situation. But I fail to see how that justifies throwing the book at the student.

Incomplete analogy. To fix it, you would have to include the student picking up the gun and squeezing off a few rounds before telling the local news about it... without ever involving the teachers. Doesn't sound quite so innocent now, does it?

Re:Good

[ArhcAngel]

Actually he walked into the vault and took a picture of the money. Then he reported his finding regarding the lack of security and showed the pictures. They are basically sentencing him for entering the bank vault but not the security guard who is equally culpable.

Re:Good

[StuartHankins]

Exactly. Our kids' futures are looking bleak if our society allows stuff like the rape to happen with little punishment, but goes balls deep on this guy who only got email addresses from a public API. No skill required.

But that girl will likely have to see these punks again and again and it's gonna be bad for her to deal with. They will be back, emboldened next time. And her friends that have seen this go down this way, they aren't going to bother reporting it next time.

Re:Good

[Hatta]

So? If I find your personal information on public display in the library, what does it matter how long it took to find it?

Re:Good

[jklovanc]

We will never know what AT&T would have done since Auernheimer didn't inform them before releasing the data.

If a newspaper accidentally prints the names and addresses of its entire subscriber base in the classifieds, and I call them to report it, can I then be held accountable for "releasing" the information?

No, but if you find an unlocked door on the newspaper office, rifle through their file and publicize that information then yes. That is basically what Auernheimer did.

The judge who refused to throw out the case stated that it would not have been an issue if information on a few users had been released as examples of the issue. He stated that 114,000 was far to many to prove an issue and it became malicious intent at that point.

Re:Good

[AvitarX]

But the info is being actively given.

He didn't take a loose hard drive from at&t, he sent requests to the server using a standard communication method. It's equivalent to pretexting, not theft.

Re:Good

[Hatta]

In this case Mr. Auernheimer did intend to obtain addresses that were *only going to be exposed to someone deliberately looking for them* and therefore he is afoul of the law.

The law prohibits unauthorized access. Not unlikely access. No authorization control means access is authorized.* The deliberate ignorance of the prosecutors and jury notwithstanding.

*Assuming anything else breaks the entire internet irrevocably.

Re:Good

[jklovanc]

The difference is that each request had to have a code at the end of the GET. That code is relatively easily guessed but it still acts as a weak password. When most people use the internet it is akin to walking through a door with a sigh over it (the url) and asking for information. What he did was search around the building, found a door with a weak lock, pick the lock and got in.Then he tried a few hundred thousand more times (he had 114,00 successes but a lot more failures). This is not the way most people use the internet.

Re:Good

. . . say I left a pile of gold in the street, I can't have any expectation it'll be there tomorrow, the streets not mine, but say I left it in my yard, and it's unfenced, to get it, you have to trespass + it's on my property. That's what this guy did, he trespassed and took it . . .

No, he didn't trespass. The owner had a clear understanding with the public that they were allowed in the yard. The man saw a pile of gold in the yard and asked the local robot - which the owner had configured to hand out various piles of sand, peanuts, dirt, grass clippings and other things in the yard. The local robot obliged and the requestor found it uncomfortable that something so significant had been handed out without question.

Your analogy is broken.

Re:Good

[jklovanc]

Actually the GET request required the ICC-ID of the device to get the email address for that device. The ICC-ID could be construed as a the name of the owner of the device asking for the information and therefore he was fraudulently impersonating someone else when making the requests

Re:Good

[jellomizer]

Just because it wasn't complex hacking, it was still hacking.
Sure AT&T was stupid for their setup, however it was they guy who saw the flaw, and then exploited it. If he found the problem by mistake then reported to AT&T and then walked away he would probably be OK. He didn't, he was malicious about it and he deserves time in jail for it.

You leave you keys in your car and the door is unlocked, then some one steals your car, they get caught, they should be punished for stealing your car. Yes you were stupid to leave your car insecure, but the guy who took your car was performing the crime.

Re:Good

[Aryden]

It's only illegal if you are not allowed to see the data. By them making it publicly accessible, he was within the letter of the law. This amounts to poor prosecution and equally poor presiding by the judge.

Re:Good

[gnasher719]

The judge who refused to throw out the case stated that it would not have been an issue if information on a few users had been released as examples of the issue. He stated that 114,000 was far to many to prove an issue and it became malicious intent at that point.

He could have run his scraping script for a minute, gathered 30 email addresses, and told them "I ran this script for just one minute and got 30 addresses, if I ran it for a week I would got 114,000 addresses. ". Instead, he ran it for a week (or however long it took).

Re:Good

[Anonymous+Brave+Guy]

...sending GET requests to an unprotected, publicly-accessible web server constitute unauthorized access...

Am I reading this right? Someone was convicted of a criminal offence because he did something that search engines like Google do millions of times every day?

Re:Good

[Anonymous+Brave+Guy]

They were incompetent and irresponsible with customer data and as far as i'm concerned, handing the data to the press was the absolute right call. How else to punish and teach?

By having real data protection laws and then reporting people who break them to the appropriate authorities so they can be prosecuted/sued accordingly?

Re:Good

[sjames]

So you're saying throw the book at him for daring to damage AT&T's reputation by reporting fairly and accurately on something it actually did? And more so because he stood behind his claims rather than lobbing it over the wall and bravely running away?

It is the court's duty to see that justice prevails no matter how incompetent the defense may be.

Re:Good

[Lesrahpem]

This information was on a public webserver without any type of authentication. If a large company like AT&T is irresponsibly handling customer data in this way the public should absolutely be informed immediately. Mr. Aurenheimer could have handled the situation better, but I do not think his actions should be criminalized at this level. Did he endanger people by blowing a whistle? Yes. Did he compromise a secure computer system to do so? No. IMHO this should fall more under "creating a panic" or something.

Re:Good

[gnasher719]

As someone else pointed out, all he did was request data from a public server and AT&T sent it to him. Also, he got 41 months for forwarding 114,000 email addresses to news site, which is overkill. Had he physically broke into an AT&T office and took the email addresses from someone's desk, he would have received less prison time.

Not quite. All he did was forging a request that one specific iPad would have done legitimately, sending it to AT&T and recording the answer. And then he forged another request that another iPad would have done legitimately. And then another one and so on, 114,000 times.

Re:Good

[cheater512]

So if I put top secret documents on topsecretdocuments.com with no password, I can sue you if you go there?
They are clearly top secret!

Re:Good

[Synerg1y]

So you're saying throw the book at him for daring to damage AT&T's reputation by reporting fairly and accurately on something it actually did? And more so because he stood behind his claims rather than lobbing it over the wall and bravely running away?

I could care less about at&t. He demonstrated malice when he published the email address of the OWNERS of those email addresses.

It is the court's duty to see that justice prevails no matter how incompetent the defense may be.

In the perfect world maybe, in the states, countless examples exist of people buying off the system through defense attorneys, if not even self stature.

Re:Good

[Theaetetus]

Isn't a key element of the legal case that he also retransmitted the private information? He did not merely receive it.

From the court filing, it appears both charges are predicated on the notion that sending GET requests to an unprotected, publicly-accessible web server constitute unauthorized access under Title 18, Section 1030(a)(2)(C).

Actually, from your own link, the charges were predicated on the notion that spoofing an identity in order to fool someone into giving you confidential information is a crime. These weren't just GET URL requests like your browser is sending to read Slashdot, but requests with spoofed IDs - closer to sending GET requests to Slashdot with spoofed cookie IDs in an attempt to get emails of other Slashdot users.

Or, as an analogy, this would be like calling a phone number and saying "Hi, this is Bill at [Bank of America/Sovereign Bank/Citizens Bank/DCU/etc], and there's been a fraud report on your account. So that we can unlock your account, can you verify your full name, address, date of birth, and social security number," and trying it with different bank names each time until the person stops saying "but I don't have an account with your bank" and responds "oh, gracious, that's my account. Here's my info." Except that you do that thousands of times a second.

The point is that you wouldn't be arrested for "making a phone call" or "sending GET requests," but obtaining confidential information through fraud.

Re:Good

[Theaetetus]

Meatspace analogy :

If a bank didn't have a door on it's vault, or any forms of security whatsoever, would you walk in and take out all the money? Even if you proceeded directly to the local police department to report the security flaw and deliver the unguarded money, you'd find yourself in quite a bit of trouble.

Here's a better analogy: you send the bank self-addressed stamped envelopes, and they willingly send private information about their clients back to you in those envelopes.

Even better analogy: you send the bank self-addressed stamped envelopes, along with a copy of spoofed identification that purports to be one of their account holders, with a random name, but matching signature, address, etc. Most of them, they discard as not corresponding to a real account, but every once in a while, one of them hits, and they respond with the private info you requested. In other words, you're not just asking for information, but committing fraud.

Re:Good

[Theaetetus]

Meatspace analogy :

If a bank didn't have a door on it's vault, or any forms of security whatsoever, would you walk in and take out all the money? Even if you proceeded directly to the local police department to report the security flaw and deliver the unguarded money, you'd find yourself in quite a bit of trouble.

Here's a better analogy: you send the bank self-addressed stamped envelopes, and they willingly send private information about their clients back to you in those envelopes.

If those envelopes were in any way a misrepresentation of your legal desire to communicate with your bank (such as an incorrect identity, overstated request, etc) then you, the sender, are guilty of mail fraud. Do not pass go, do not collect $200. The legal system seems to be pretty mysterious to a large part of slashdot...

'I felt like I was watching a witch trial as Slashdotters admitted they didn't understand the law.'

... except that no true Slashdotter would ever admit to that. ;)

Re:Good

[loshwomp]

What if one of those email addresses is an old lady that gets scammed by a nigerian prince? What if it's 100 of those emails that that happens to?

If it's that serious then we need to find AT&T criminally negligent for letting absolutely anyone get all those private email address. If it's not that serious after all, then there's no point in railroading the guy who reported the problem, but we can't have it both ways.

Re:Good

[WD]

So by your logic, no public web server can ever be hacked? SQL injection, bruteforce password guessing, hell, even something that allows remote code execution on the server... those all happen by sending one or more requests to a web server. And the result is something that violates an implicit or explicit security policy of the system involved.

Re:Good

[sjames]

I wouldn't call their releasing the emails the best approach to the problem, but I also don't think it's really worth 41 months in the slam. It also isn't something they should have gotten no penalty for, they could have proven their point with 100 emails, no need to keep fetching.

In the perfect world maybe, in the states, countless examples exist of people buying off the system through defense attorneys, if not even self stature.

True enough, but surely no cause for celebration.

Re:Good

[Synerg1y]

I actually tend to agree on the length of the prison term being BS, sentencing in grey area territories rarely fits the crime. What I'm trying to say though is that they sentenced him based on what could've been, rather than what was. What could've been is mass email compromising and a loss of revenue for at&t. I doubt any of that happened, but to a computer illiterate judge and prosecutor its all the same. So yes, the manner in which the sentence was appropriated is a kick back to the stone age.

Re:Good

[tragedy]

Instead, he ran it for a week (or however long it took).

A week? For 114,000 e-mail addresses from the servers of a large company? Clearly there would have been more to each dump than just the 25 or so bytes for a single e-mail address, but it still seems like it shouldn't have taken more than an hour or so.

Re:Good

[kamapuaa]

But of course the information isn't being made public, if it takes a hacker to illegally access the information.

If it's illegal to have a shitty security system, sure, AT&T is guilty of that.

Re:Good

[Luckyo]

And guy who picks the lock doesn't break in either. He just uses a publicly available tools to access the door lock.

Next.

Re:Good

[tragedy]

If the door in question is the main entrance of a store with no signs posted restricting entry, then it's a little different from walking into a private residence.

Re:Good

[Luckyo]

"Little punishment"? US justice system is draconian when it comes to punishing crime. These guys are going to have a stigma of "sex offender" for their entire lives on them now.

What the hell happened to rehabilitation? You know, getting both the victim and criminals rehabilitated to be able to live good lives without the spectre of rape hanging over them? Now victim gets "vengeance" which solves absolutely nothing for her, and two guys went from low grade passion criminals to having completely destroyed lives coupled with likely recidivism due to problems with US incarceration system. Hooray for more victims. Get the rope, I hear hanging solves all the problems in frontiersman's land.

Same thing could have been used in the crime of that guy. Instead of throwing him into jail, have him fined and have him have face to face meetings with people who he basically fucked by giving all spammers and scammers in the world their email addresses. Let him hear about actual, real and tangible effects of his "gray hacking" or whatever it is that his lawyers tried to dress it up as. And lastly, have him see the impact on the company he was supposed to be working for, perhaps have him do the work to secure all of their servers for a while under threat of prison for pennies. Perhaps then he would have found a much greater insight as to how difficult it is to manage a huge infrastructure company and next time forward his finds up the ladder instead of pretending to be a wannabe hero.

But hey, prisons must make profits.

Re:Good

[tragedy]

This demonstrates the problem with strict liability laws. In the scenario you're putting forward, delivering the money to the police is pretty absolute proof of benevolent intent, but the authorities seem to seldom see it that way. Let's say, instead of a bank vault, it's an ATM in a shady part of town and it malfunctions as you walk by and starts dispensing money. What will the honest person do in this situation? What will the dishonest person do? In that scenario, the honest realist knows that their best bet is to walk by and act like they've seen nothing and not even report it. The honest person who gathers the money and brings it to the authorities, or who even tries to contact the authorities may well face prosecution or at least suspicion.

Re:Good

[tragedy]

Once upon a time, banks had a certain amount of time to catch and correct bank errors in your favor and, if they didn't do it before the deadline, the money was yours. The reasoning behind this should be obvious: the bank shouldn't be making those kinds of mistakes and, if they do, the losses should be theirs. We seem to have crept further and further away from that ideal. "Personal responsibility" is still strongly preached, but it only applies to peons. Large institutions are given almost infinite opportunity to correct their mistakes and forgiveness if they're unable to.

Re:Good

[thedarknite]

The request would be closer to "Hi, this is Bill. You have an account at Bank of America with account number 5551212 , what's your name, address, date of birth and social security number?"

Re:Good

[tragedy]

In the US, it's traditionally supposed to be the bank's job and responsibility to make sure they don't make those kinds of errors. If they accidentally put $50,000 in your account and don't fix it by the midnight deadline, then it's supposed to be yours regardless of whether you think it was yours to begin with or if you know it's a bank error. It's all part of fiduciary responsibility. The bank isn't supposed to make mistakes. If they're making mistakes in people's favor, then they're surely making mistakes that harm people too.

Naturally this has all eroded over time.

Re:Good

[BasilBrush]

That's similar to saying: I didn't break into the house. The door was unlocked, and turning the handle granted me access.

Up to now, no crime has been committed.

Then I took copies of the householders bank account details, his photos, his passwords...

Now it's a crime.

The criminal in question, took 114,000 email addresses that he knew he had no right to. And then passed them on to others.

There's no doubt it's a crime.

Re:Good

[BasilBrush]

We have convicted rapists and murderers that seem to get off with lighter sentences

Bullshit. Murderers are never sentenced to less than 41 months prison.

Re:Good

[jxander]

Bingo.

There are enough people cruising the web who would use this information for nefarious purposes, that even if weev had strict White Hat intentions with the data found, it looks suspicious, and gets his ass over 3 years in prison.

Re:Good

[BasilBrush]

There's not much point in contrasting the sentences of two completely different crimes, particularly when one concerns juveniles, and the other doesn't.

Maybe the Steubenville case sentences aren't severe enough. That still has no bearing on this computer misuse case.

Re:Good

[BasilBrush]

You think a juvenile being caught, prosecuted and serving a prison sentence, and being put on a sex offenders register is "emboldening"?

What a weird point of view. It seems totally divorced from reality.

Re:Good

[Synerg1y]

You can post idiotic comments all you want as AC, doesn't make them useful. Consider this: your argument isn't plausible, the man in the story gave the email addresses to the newspaper, so if I gave the gun to the shooter... guess what that makes me an accomplice. Anyways, enough of responding to *mostly* idiotic idealistic arguments that seem to follow my posts, time to go home.

Re:Good

[BasilBrush]

It's illegal. He knew he wasn't supposed to have access to the data - we know that becuase he went to journalists with the story. He took the data, nevertheless, and sent the stolen data to others.

It's a crime. No matter how you want to describe it. Nor how much you could imagine yourself doing the same thing.

Re:Good

[BasilBrush]

He was no "allowed" to see the data. And there was no web page with a button that said "Download lots of addresses". He went searching through a directory structure that had not been secured in error. We know he knew he was not supposed to have access, and the security hole was a mistake because he went to a news site with the story.

Security holes do not give anyone legal permission to access. Any more than locks on buildings being left unlocked grant anyone legal permission to enter.

He broke the law, knowingly. And he is certainly guilty.

The length of the sentence seems a bit severe though.

Re:Good

[BasilBrush]

There was no mistaken entry here. He specifically spoofed GET requests to make it look like they were coming from the owner of the email address.

And he did it 114,000 times.

Re:Good

[BasilBrush]

I don't see a huge effort by Andrew to contact AT&T and say "uh, guys, you have a huge problem here".

Well he wouldn't, would he. He's a member of a bunch of internet trolls what used to plague this very site. They call themselves "Goatse Security", and were behind the persistently obnoxious "Gay Niggers of America Association". He had absolutely no intention of doing anything good here. His intention was clearly to create as much unpleasantness for as many other people as possible. That's their standard MO.

Well this time, the idiot fought the law, and the law won. Great result.

Re:Good

[BasilBrush]

A better analogy: A bank has a web server that takes person's name and returns that person's SSN. A "hacker" sends your username and gets your SSN. He does that for several people from the phone directory.

Where several = 114,000.

Hacker goes to prison for the BANK'S FAULT of exposing SSNs.

Hacker goes to prison for his own crime. The bank may or may not have committed a crime in it's negligence. But it doesn't take away from the "hacker" crime.

Re:Good

[BasilBrush]

I'd be happy with that analogy if the email addresses were listed in a web page that it was possible to navigate to. However, this involved spoofing the identity of each of the email addresses owners. That's not a simple looking to see what's there. That's an active fraud.

Re:Good

[BasilBrush]

No he spoofed other people's identities. So if you're using a bank giving out money as the analogy, then his part of it was forging bank cards or cheques.

Re:Good

[BasilBrush]

While the activity is dubious and the perpetrator is obviously a Bad Man (TM), there is nothing illegal about calling and asking for information.

Unless you're a more qualified lawyer than those involved in this case, I'd say the evidence of his conviction is that it IS illegal.

Re:Good

[BasilBrush]

There was no public display. Despite what lots of clueless people here are saying, this was a hacking exploit, that involved spoofing someone else's identity, using a non-published web-service. That's not public display.

Re:Good

[Jane+Q.+Public]

"Think about what you just said for a second... now go make the real posters sandwiches."

You are claiming that Gawker has no responsibility for publishing? According to the official accounts, "Goatse Security" had tried to contact several "more responsible" news outlets to get the story out. They only resorted to including some emails with the story when that failed, in order to verify that it was real.

Never mind their motivations. Yes they acted irresponsibly. But that is as may be. They weren't responsible for first "publishing" emails.

Now go make some cheese sandwiches for Goatse.

Re:Good

[BasilBrush]

He went up to the reception desk and said "can I have the name and address of client 1000000000 please?" which they then gave him. He then said "and for client 1000000001 please?" which then then gave him. Etc.....

Almost. Actually, rather than the reception desk, he went behind the counter, and into one of the back offices and then...

Re:Good

You missed the stage where you go from window to window, carefully photographing the details, then bundle them all up and mail them to a publisher.

Re:Good

[BasilBrush]

Sounds like a myth.

Re:Good

[Jane+Q.+Public]

"Yes it was his fault. He was trafficking in stolen property. And of course he stole it in the first place. The newspaper might also have committed a crime, but that doesn't mean he didn't."

Are you just HUNTING for stuff to argue with me about? Could it be that says something about you?

I did not try to claim he was blameless. I simply stated (truthfully) that he wasn't the one who published. Blame him for what you like, but blame the publisher for publishing.

Re:Good

[Hatta]

A public facing web server with no authorization controls is a public display.

Re:Good

[AvitarX]

Pretexting on a phone call is not a crime (everywhere).

Someone doing the same thing by social engineering isn't a criminal, why is this?

he didn't break any existing defense, nor make a malformed request.

Re:Good

[runeghost]

He's being jailed for pointing out that the emperor wasn't wearing any clothes. Welcome to 21st Century America.

Re:Good

[chris_mahan]

A fedex letter sent to their legal department would probably have been looked at.

Re:Good

[Ol+Olsoc]

Know I'll get modded down for going against Slashdot groupthink. But what is the argument suggesting? "It all happened on a computer, it shouldn't be prosecuted?" Stealing private information and releasing in publicly isn't just obviously illegal, it caused grief for 114,000 people.

This. Two football stars were found guilty of raping a 16 year old paseed out drunk or drugged girl. They were exceptionally pleased with themselves, using social media and video and photos in documenting their glorious conquest. Photographed the underaged girl naked too. Not only were they prosecuted as Juveniles, after being found guilty, they'll get a tiny penalty. A year.

You figure that this guy deserves more than kiddie porn disseminating rapists? Let's equate the two. That isn't groupthink, that is a What the Fuck moment of biblical magnitude.

Re:Good

[Cruciform]

The moral of the story is, if you're going to commit crimes join the football team first.

Re:Good

[Cytotoxic]

By that rationale, any request on a web server via the HTTP GET or POST that could escalate privilege or divulge private data should go unpunished.

Yes, that's correct. We're not talking about a (D)DOS attack. This was a normal request/response. The owners of the servers should be 100% responsible for the security of those servers in such situations.

Well, by this logic there should be no laws against computer intrusion. If you didn't secure your computer against that port 73 buffer overrun bug, well, that's your fault for getting p0wnd. Or if there is a bug in the java beans backend of your server that crashes all authentication to root when presented with malformed unicode? Well, tough... patch your servers, moron. Some hacker finds a vulnerability in Apache that allows him to get root using get/post commands and uses that to get control of your server - nothing wrong with that?

I mean, really - did you really, really mean to say that attacks using get or post should be perfectly legal? There's lots of malicious activity that can be undertaken using http connections. There's laws against hacking computers for the same reason that there are laws against breaking and entering in the realm of real estate. We don't say "well, you shoulda bought a better lock" when a burglar breaks in through the back door. We say the burglar is a criminal and prosecute him.

That doesn't mean you shouldn't get a better lock, or do a better job of computer security - but I still don't think we should just say "if you didn't secure your server well enough, that's your own fault".

Re:Good

[crioca]

Know I'll get modded down for going against Slashdot groupthink.

You should be modded down, but not for that.

But what is the argument suggesting? "It all happened on a computer, it shouldn't be prosecuted?"

No, the argument is that it's equivalent to mailing a request to AT&T asking them to send you a database of their customer's private details, having them do so, and then getting you charged once you've gone to the media to blow the whistle on what AT&T is doing.

Stealing private information and releasing in publicly isn't just obviously illegal, it caused grief for 114,000 people

There was no theft: AT&T had built a system which permitted anyone who made a request for this information to be given it. As a private individual, Mr Auernheimer is not beholden to keep this information a secret. Their right to privacy does not trump his right to free speech.

Even if AT&T has a shitty security system, that doesn't make it legal to break in.

As above, their security system was not breached, it simply didn’t cover the data he requested. He didn't break in. He sent a request for information, they gave it to him.

I'd love to see Slashdot do more mundane crimes. Maybe the home had a sign saying "beware of dog," but the dog was actually at the vet, so the robber was just publicizing a security flaw.

The problem with this comparison is that unlike the world of computers, the physical world doesn’t have explicit permissions that govern interactions. In this example it would be more like the sign said “Interaction with Dog permitted for all.” And then punishing someone for playing with him.

Re:Good

[Cytotoxic]

That's an excellent point.

Although the punishment for murder ranges from nothing to death, while the punishment for offending a corporation ranges from a few years in jail (here) to a lifetime to many lifetimes in wages to getting lauded as a hero and receiving millions of dollars (pick your favorite trumped-up corporate scandal).

Too bad prosecutors often fail to live up to the vast responsibility they've been given via prosecutorial discretion. (my favorite of late is a Georgia woman who was convicted of vehicular homicide when her 5 year old kid was hit and killed by a drunk driver as she and her family crossed the street from the bus stop - not only was she not driving, she doesn't even own a car. Nice work, Ms. Prosecutor... more irony - She gets 6 times the prison time of the drunk driver who plowed into her and her family. Double-good nice work, Ms. Prosecutor)

Re:Good

[Runaway1956]

I had never heard that story. It's such a miscarriage of justice - I don't have any idea how the prosecutor can possibly go to sleep at night. The story doesn't mention the race or color of either the victims or the driver - but in Georgia, I might make an educated guess.

Well, half the guessing is right at least - http://dc.streetsblog.org/2011/07/26/raquel-nelson-granted-option-of-new-trial/ That story is an update, two weeks later. I'm curious, gonna look some more . . .

http://dc.streetsblog.org/2012/04/17/raquel-nelson-back-in-court-with-high-profile-lawyer-at-her-defense/ That story almost makes it look like the prosecution had a change of heart.

In September, the prosecutor is still going though: http://dc.streetsblog.org/2012/09/11/georgia-prosecutor-continues-case-against-raquel-nelson/

The way I learned it, the pedestrian always has the right of way. I was 19 years old the first time I ever heard the term "jay walking". Unless the mother physically picked the child up, and threw him in front of the car, blaming the kid's death on her is grossly wrong. And, obviously nothing like that happened here. They're railroading her on a technicality.

Re:Good

[sacrilicious]

I could make the same argument for randomly trying passwords against accounts. "I'm just checking to see if this key happens to work in this door...."

To flesh out this analogy a bit: suppose I contract with AT&T to come up with a system of cleaning my house every week. AT&T sends maids each week, and installs a front door on my house to facilitate the maids, and tells me that the door is "safe". Then along comes this guy who has realized that any kid with a slide ruler can easily open every one of these allegedly "safe" doors.

And the vulnerability is so obvious that AT&T either knew all about it or was so stupid that it rises to gross negligence. To me it's practically immaterial whether he made any effort to tell AT&T (don't know if he did), but based on AT&T prosecuting him, I'm willing to believe AT&T was in no mood to do jack squat about their "error".

Re:Good

[tragedy]

When you look at how law is actually practiced, all grandiose legal principles end up looking like myths. The reality of any large bank error in anyone's favor is and probably has always been that they will be intimidated into returning the money under threats of criminal charges and massive civil lawsuits. The view that banks take is that, if you make an error, you need to be punished for it with fees and, if they make an error, you need to be punished with fees, although they will be generous and waive the fees provided you don't require them to admit any fault.

Re:Good

[tragedy]

I made no claim there except that, if it's analogous to a door, it's to the door of a business open to the public rather than a private residence.

Re:Good

[fearofcarpet]

Bottom line: it is ludicrous-speed absurd to prosecute somebody for publicizing already public information. If a newspaper accidentally prints the names and addresses of its entire subscriber base in the classifieds, and I call them to report it, can I then be held accountable for "releasing" the information?

They've gone to plaid!

Re:Good

[ralphaostrander]

He did not steal anything they were in plain sight on their web sire no hacking involved www.righthere.are.all.our.emails.comgetthem

Re:Good

[dbIII]

If it happened with paper instead of on a computer the sentence wouldn't be more than you would get for rape.

Re:Good

[BasilBrush]

"Are you just HUNTING for stuff to argue with me about? Could it be that says something about you?"

It says that we have at least some overlap in the stories that interest us. If you look at both this and Saturday's North Korea story, you'll find that I made several messages to different people on each, and didn't start with responding to you.

It says something about you though. It says that you're a little susceptible to paranoia.

Re:Good

[BasilBrush]

But it's the staff only door round the back that leads to the office where the filing cabinets are.

Re:Good

[BasilBrush]

The warehouse door at the back of a store is easily accessible by the dishonest member of the public. That does mean it's a public entrance, just because the store welcomes people in the front door.

The law doesn't concern technical measures of security on behalf of the owner of property. It concerns the actions and intents of those who do dishonest things. There is no doubt that spoofing other people's identities in order to get data you know you shouldn't have access to is dishonest. This case demonstrates it's also illegal.

And the criminal saying "but it wasn't locked" isn't a valid defence.

Re:Good

[BasilBrush]

That's still sounding rather myth like. An administrative error in an account is an administrative error. It doesn't and to my knowledge never did entitle you to a windfall of actual cash that isn't yours.

There's lots of wishful thinking that it does, I'm sure.

Re:Good

[Hatta]

It's not a warehouse, it's a website. The internet works on default allow policy. Assuming anything else makes it a crime to access slashdot.org without specific written authorization.

Requesting an URL with a specific user ID in the URL isn't "spoofing other people's identity". I'm not spoofing your identity when I visit slashdot.org/~BasilBrush, and weev wasn't spoofing anyones identity either.

Default allow is the only workable policy for the public internet. Requesting URLs must be unequivocally legal, or the internet simply doesn't function.

Re:Good

[BasilBrush]

The internet works on default allow policy.

That's something you made up on the spot. It certainly has no standing in law.

Requesting an URL with a specific user ID in the URL isn't "spoofing other people's identity". I'm not spoofing your identity when I visit slashdot.org/~BasilBrush, and weev wasn't spoofing anyones identity either.

slashdot.org/~BasilBrush is intended as a page about me, accessible by you and anyone else. However, my account information page, including my email address, is not accessible to you, unless you manage to spoof being me.

Yes, he absolutely knew he was spoofing someone else, and not simply accessing information he knew was intended for him.

Requesting URLs must be unequivocally legal, or the internet simply doesn't function.

Bullshit. Most people don't go around trying to find holes in security, and taking information they know isn;t meant for them by spoofing other people. This action is not required for the internet to function at all.

Hackers (in the gaining unauthorised access meaning) are needed by the internet to the same extent that shoplifters are needed by retail.

Re:Good

[Hatta]

The internet works on default allow policy as a mater of technical fact. That the law doesn't know that is a problem with the law.

However, my account information page, including my email address, is not accessible to you

Exactly, because slashdot is smart enough to hide personal information behind a password. If slashdot was not that smart, then by your argument navigating to your account page would be illegal for me to do. How is it just for the exact same action on my part to become criminal just because the remote website is run by idiots?

Most people don't go around trying to find holes in security, and taking information they know isn;t meant for them by spoofing other people

There was no hole in security because there was no security at all. Nothing was broken into and no one was spoofed. All he did was request URLs.

Re:Good

[StuartHankins]

Perhaps you missed the punks smirking on camera, or you missed the quote that they should've raped her because they were getting punished for it anyway. Or the regret that one had -- not for penetrating her digitally, or for trying to get her to give him oral sex when she was passed out -- but instead for filming it.

No regrets? Fine then, these kids deserve to be made into examples. For the betterment of our society.

And FWIW, here in Florida you can get put on a sex offenders list for public urination. The last time I checked with an offenders app, there were 75+ people in five miles -- including many within my community which requires a background check and approval to live here -- and I live in an upscale golf community. So no, while a pain, I don't think this is any big deal because they've watered down the definition enough that it seems lots of people have it. And obviously they are living their lives just fine.

Re:Good

[BasilBrush]

If slashdot was not that smart, then by your argument navigating to your account page would be illegal for me to do.

That's NOT my argument. Once again, weev didn't NAVIGATE to a page with email addresses on. He spoofed a request, pretending to be someone else. Then repeated it 114,000 times. Well actually, he probably did it far more times even than that, but he had 114,000 successes.

no one was spoofed. All he did was request URLs.

These are not contradictory things. His requests were spoofed. Why is that so hard for you to understand?

Actually I think I know. Slashdot is full of geeks. Geeks think hacking is clever. They can imagine themselves doing it. They may actually do it. And they don't want to see it as a crime. Even though in many cases, including this one, it is.

Re:Good

[BasilBrush]

Calm down. It was a crime committed by juveniles, and they've been found guilty and been punished appropriately for juveniles. You venting youur aggressive feelings is of no use to anyone.

Re:Good

[Hatta]

What's the difference between spoofing, and requesting an URL? What made weev's HTTP GET a "spoof" and what makes mine legit? Lay it out for me in technical terms. Is it because he constructed the URL manually? Guess what, I constructed the URL to your user page manually too. What's the real difference?

FWIW, there was nothing clever about this at all. weev's a dick, and he deserves to be in jail, but for many other things. But in this particular act, he was clearly unjustly railroaded. I wish he had been caught *actually hacking*, in which case I could enjoy the shadenfreude. But this isn't hacking, and this ruling endangers everyone on the internet.

Re:Good

[CanHasDIY]

A fedex letter sent to their legal department would probably have been looked at.

... and subsequently discarded.

It seems, based on my experience, that there's only 2 criteria to getting hired at AT&T - 1) you have to be a jerk, and B) you're not allowed to show any amount of competence.

Re:Good

[BasilBrush]

What's the difference between spoofing, and requesting an URL? What made weev's HTTP GET a "spoof" and what makes mine legit? Lay it out for me in technical terms. Is it because he constructed the URL manually? Guess what, I constructed the URL to your user page manually too. What's the real difference?

We don't have the actual headers of the request he used. But we know he didn't just construct a URL. We know that he constructed a request pretending to be (spoofing) a request from an iPad. So he set up the User Agent to claim to be from a particular iPad app (not the same as pretending to be a generic browser). And he set up a request for a particular iPad identity. Which would typically be in the body of a request, not the URL. He may have spoofed other elements, but as I say we don't have the actual request in question.

So yes, there IS a difference technically. But more important there's a difference legally. You might have constructed that URL manually, I don't know. But you did it in the knowledge that you could have navigated there using the intended links. That that information was intended for public consumption. Weev did his exploit knowing that he was accessing stuff that was not meant to be public.

Look, there is no technical difference between you driving off in your car and a criminal stealing your keys and driving off in your car. The difference is in authorisation and in intent.

Just because something isn't protected by locks or other security measures doesn't mean it's OK for you to steal it. And even though the technical process of taking something that belongs to you is the same as a criminal stealing something, it doesn't mean that they are both legal.

Re:Good

[Hatta]

We don't have the actual headers of the request he used. But we know he didn't just construct a URL. We know that he constructed a request pretending to be (spoofing) a request from an iPad. So he set up the User Agent to claim to be from a particular iPad app (not the same as pretending to be a generic browser). And he set up a request for a particular iPad identity. Which would typically be in the body of a request, not the URL. He may have spoofed other elements, but as I say we don't have the actual request in question.

So users of the User Agent Switcher are hackers now? None of this amounts to any type of authentication or authorization, so it's impossible for any reasonable person to say his access was unauthorized.

But you did it in the knowledge that you could have navigated there using the intended links.

How am I supposed to know whether a URI has links to it or not? Why is the presence of a link (which could be created by third parties) more important than the actual security settings of the web server?

Just because something isn't protected by locks or other security measures doesn't mean it's OK for you to steal it.

Again, the internet operates on an assumption of default allow. The only way I know whether I am allowed to access a resource is to try and see if it is available.

Re:Good

[Synerg1y]

Exactly my point, it's not worth associating your name with information you know is in the grey area at best. Everybody's that's leaked anything and taken credit for it has had this happen to them, it's not good or fair... but it can be avoided while still getting the message across.

Re:Good

[Jane+Q.+Public]

"It says that we have at least some overlap in the stories that interest us."

Okay. Good point.

Re:Good

[Hatta]

We don't have the actual headers of the request he used. But we know he didn't just construct a URL. We know that he constructed a request pretending to be (spoofing) a request from an iPad. So he set up the User Agent to claim to be from a particular iPad app (not the same as pretending to be a generic browser). And he set up a request for a particular iPad identity. Which would typically be in the body of a request, not the URL. He may have spoofed other elements, but as I say we don't have the actual request in question.

I also want to add that all of those activities sound exactly like one would do if he wanted to reverse engineer a protocol for compatibility reasons. That is a practice that has been in wide use for a long time, and the internet wouldn't exist as it is today without it.

Prosecuting someone who has poked around at a web server with no authorization controls hurts all of us who want to use third party clients with proprietary web apps.

Further, I want to add that this is a bad ruling for policy reasons. If you want AT&T to implement good security (and I think we all do), you have to hold them liable for breaches of that security. If they can go crying to the police every time their lack of security bites them in the ass, they have no incentive to implement real security.

Prosecuting someone who has done nothing but request URLs and give their content to a newspaper hurts all of us who expect our private data to be secured with actual authorization controls.

Re:Good

[JakeBurn]

So by not locking my doors I am making all my belongings legally accessible?

Re:Good

[StuartHankins]

And see we're right back where we started. I disagree that these punishments were sufficient for their crimes.

I am puzzled by your "calm down remark" however. Perhaps you misread. At any rate, we're not getting anywhere in this conversation.

Re:Good

[tragedy]

But it isn't. You might be able to argue that there are lots of doors, each intended for a different member of the public, but it's not the staff only door.

Re:Good

[tragedy]

Midnight deadlines have always required that the banks either accept or reject a transfer of funds by the deadline. They certainly will go after you for any large sum of money, but they're not supposed to make the mistake in the first place.

Re:Good

[BasilBrush]

So users of the User Agent Switcher [mozilla.org] are hackers now?

I preempted your obviousness with the phrase "(not the same as pretending to be a generic browser)" in my post. Did you not read it?

Again, the internet operates on an assumption of default allow.

Again, you made that up on the spot. And it has NOTHING to do with law.

The only way I know whether I am allowed to access a resource is to try and see if it is available.

And the only way you can know whether you are allowed access to a building is to try all the doors, and assume it's public property if you find one that isn't locked?

I repeat, what you think is not illegal clearly is, because this guy just got convicted for it. The evidence is on my side.

Re:Good

[hazah]

Way to dodge the question. I actually admitted nothing and asked what AT&T was fined. Appearantly that wasn't clear enough so I will restate it just for you... what amount did AT&T get fined?

Re:Good

[Rakarra]

Please, remind me how many months in jail did the Santander employees responsible for money laundering for terrorists get... oh, wait, I remembered, they didn't even get prosecuted, because rich people can screw everybody freely.

Could you provide references for that? Not saying it didn't happen, but it's extremely hard to find any reliable news reports for that. The closest I can find is a Guardian report that Santander shut down open accounts with Sepah after Sepah was placed on a terrorist blacklist.

I remember hearing a guest talking about this on the PBS show Moyers and Company, but I've learned not to trust his show or his sources.

Re:Good

[BasilBrush]

I also want to add that all of those activities sound exactly like one would do if he wanted to reverse engineer a protocol for compatibility reasons.

Absolutely. And I've been working on exactly that for the past week. However if I found a way to retrieve other people's personal details with the API I'm looking at, I'd need to stop right there, and only do it for my own details.

It's intent that's the issue, not technology.

I need to be very clear where the line is, because I don't want to end up in the slammer like this dude. However, since I'm not a troll, and it's not generally my objective to create problems for other people everywhere I go, it's unlikely.

Re:Good

[dmbasso]

Could you provide references for that?

My bad, I meant HSBC, not Santander: http://www.nytimes.com/2012/12/12/opinion/hsbc-too-big-to-indict.html?_r=0

But Santander came to my mind probably because of the episode you mentioned: http://www.telegraph.co.uk/finance/markets/2812719/Santander-traded-with-blacklist-Iranian-bank.html

Re:Good

[BasilBrush]

I'd argue that a HTML delivering web-server, and a JSON or XML or whatever based webservice is a different door. Regardless of the fact that the same web-server servicing HTTP requests might enable both of them. Same building, two different doors.

Re:Good

[Hatta]

I preempted your obviousness with the phrase "(not the same as pretending to be a generic browser)" in my post. Did you not read it?

What's the significance of that? A user agent is not an authorization or authentication mechanism. It doesn't matter what the UA is, it's not hacking.

Again, you made that up on the spot. And it has NOTHING to do with law.

Bullshit. It's easily independently verified as fact. Either publicly facing web servers are intended to be default allow or default deny. Let's assume they are default deny. Did you get permission before you sent slashdot.org an HTTP GET request? No? OMG, unauthorized access! Hacker hacker! Better get the FBI!

But, you say, there's a TOS that authorizes access. Unfortunately, that TOS resides on a page that you can't request without already having authorization. You have to make an unauthorized request before you even know if you have authorization. Clearly, this is a cluster fuck, and would make the internet unusable if default deny was the standard.

So there you have it. Assuming that default allow is not the general policy of the internet leads to an absurd result. Therefore default allow is the policy of the internet. QED.

And the only way you can know whether you are allowed access to a building is to try all the doors, and assume it's public property if you find one that isn't locked?

Ah, so at least you admit that it's OK for me to jiggle the lock. Now explain to me how I can jiggle the metaphorical lock and determine whether or not I am authorized without getting the content back.

If all I do is jiggle the lock, and the web server responds with private data, who's fault is that?

I repeat, what you think is not illegal clearly is, because this guy just got convicted for it. The evidence is on my side.

You assume the government itself obeys the law. We abandoned the rule of law a long time ago. Most activity of the government is illegal and they only get away with it because they have all the guns.

Re:Good

[Aryden]

So you left your windows open, a guy sees across the street and watches your TV for a few minutes. Then he goes out with some friends and tells them about the show you were watching.

Re:Good

[tragedy]

But the door he went through was open for customers, not just employees. Maybe we should say that, instead of a store, it's a commercial venue like a museum or theme park, open for guided tours, but set up in such a way that just anyone can walk in. Or maybe trying to torture this into an analogy to actual, physical private property is a losing proposition.

Re:Good

[JakeBurn]

A tv show isn't personally identifiable information that could be used to scam someone or steal their identity. If it was then the guy in question would be an accessory to those crimes by providing that information to someone who used it for those purposes.

Re:Good

[BasilBrush]

"But, you say, there's a TOS that authorizes access."
"Ah, so at least you admit that it's OK for me to jiggle the lock."

No, I haven't said either of those things, nor do they represent anything I have said. It's symptomatic of the fact that you have no case, that you're arguing with things I haven't said, rather than things I have.

Again, the law is clear in the result of the case. There's nothing absurd about the result and I've told you why. I no longer care that you choose to believe the contrary.

Re:Good

[fatphil]

If that's true, then any editing of the URL by hand would constitute fraud.

There is precedent. People have been charged for removing the filename part in order to get a directory listing in the past.

Both of which are pure unadulterated bullshit, propagated by *dangerous* people who shouldn't hold the seats they hold.

Re:Good

[Aryden]

Your address isn't posted on your mailbox/door? Phone number listed in the phone book with your address and name? There is far more available information about you than your email address everywhere you look and perfectly legal to obtain.

Re:Good

[JakeBurn]

And what does anything that you've typed have to do with the issue at hand? That's right you missed the point. Oh yea, Lemons are yellow. Indisputable, irrelevant fact. I win.

Re:Good

[countach]

Depending on the method he used to get the info, it may be more like leaving your door open with a sign saying "free food within".

Re:Good

[countach]

I don't like the word "forged" as the word automatically is associated with a defarious activity. I mean, typing a URL into the browser is not exactly "forging", assuming that is what he did.

Re:Good

[countach]

photographing things in public is not illegal. Doing what you want with the photos is not illegal (generally).

Re:Good

[Luckyo]

I'm quite certain that loopholes on servers do not come with welcoming signs. More like he went into the home he had the spare keys to to steal food.

Re:Good

[jwhitener]

He didn't "break in". He sent requests to a publicly-accessible web server, and AT&T sent back private information. This wasn't hacking, or even a DOS attack. AT&T is at fault here.

I'm not seeing how that is different than if someone leaves their curtains open, and I video record them. I can get in trouble for video recording them. Stalking charges, and doubly so if I then start uploading all the video of them to youbube or another public site, etc.. Despite the window being open, we know it is wrong to be a peeping tom.

He should have known it was wrong to violate so many people's personal data, despite the door being open to it. Just like I might be polite and tell my neighbor, "hey.. ahh... you should close your curtains at night, lots of houses can see through your windows", he should have been polite and just kept telling AT&T about the open window. He could have increased the pressure by posting blog articles or other means that would have made the fact that door is open public, but without walking through the door and removing stuff.

Re:Good

[jwhitener]

Seems a bit different than a simple GET.

Once deployed, the Account Slurper utilized a process known as a "brute force" attack
  - an iterative process used to obtain information from a computer system
  against AT&T's servers.

  Specifically, the Account Slurper randomly guessed at ranges of ICC-IDs.
  An incorrect guess was met with no additional information,
  while a correct guess was rewarded with an ICC-IDle-mail pairing for a specific,
  identifiable iPad 30 user.

Very sloppy on AT&T's part, but it wasn't like they intentional created some API that would hand out emails to the public.

It seems like what a company believes should be allowed is the driving force behind these type of charges. If I owned a server, and thought I had set it up correctly to only allow X access, but some creative person found out that they could access Y, they'd get in trouble if they attempted to access Y and were caught.

Re:Good

[jwhitener]

If any time a system that is intended to display X is manipulated in a way not envisioned by the owner/creator to display Y, and the person doing the manipulating is not punished, I could see that leading to some serious issues.

Like the owner/creator being responsible for every successful hack on their system, no matter how complex or creative.

They guy ran a looping program that was guessing ID numbers in a brute force fashion. The system only returned email addresses when he guessed correctly. That isn't quite the same as just looking through a window. It is more like punching security codes on a number pad until you get one right, with the result being someone's curtain opens and you see something that was intended to be private.

Re:Good

[Anonymous+Brave+Guy]

Thanks for the extra details. If the objection was not merely to the act of sending a GET but rather to the systematic use of GETs to try to establish unauthorised access by unexpected means, that does shine a very different light on the situation as a whole and the case seems a lot more reasonable.

Don't understand computers?

[gnasher719]

I suppose the prosecutors figured out that Auernheimer managed to lay his hands on over 100,000 email addresses that iPad owners had used to register their devices. So not random email addresses, but email addresses that were in actual use, and with some rather significant personal information attached.

So what exactly do they need to understand about computers beyond that?

Re:Don't understand computers?

[Jawnn]

That the defendant did not "break in". He did not circumvent any system or other contrivance designed to secure sensitive information. Those systems and contrivances simply did not exist. The worst that can be said of what he did was that he was irresponsible in sending the clearly sensitive information to someone else. The right thing to do, of course, would have been to contact AT&T. Had he done that, there wouldn't even be a case for restitution, unless maybe it was to compensate the defendant for doing the work that AT&T failed to do.

Re:Don't understand computers?

[Looker_Device]

The right thing to do, of course, would have been to contact AT&T. Had he done that, AT&T would have threatened him to keep quiet and then never fixed the flaw

FTFY

Re:Don't understand computers?

[gnasher719]

I never said he did "break in". But clearly he copied 114,000 email addresses that he shouldn't have copied. As a "journalist" (that's what the article says; I doubt it) did _not_ say: "I felt like I was watching a trial with a defendant who admitted he doesn't understand the law". Or common decent behaviour. Or the fact that just because you figure out how to do something, doing it might still not be a good idea.

Re:Don't understand computers?

[omnichad]

So if I take a phone book and list 110,000 numbers should I be prosecuted?

In a civil case, as that would only be a copyright issue. I'm sure phone books are salted with fake listings just like GPS map data to enable proving and prosecuting copyright infringement.

I know that's nothing to do with your argument, but it's worth mentioning.

Re:Don't understand computers?

[Jawnn]

And yet the man was tried, convicted, and sentenced for crimes he did not commit. Surely you don't actually believe that 48 months in prison is suitable punishment for failing to exhibit "common decent behavior". If so, kindly tell us what statute you'd cite for that.

Hard to feel sympathy

[i+kan+reed]

The purported target, AT&T, is hardly the nicest organization, but the actually affected people were just regular people. This doesn't seem especially out of line with the USA's normal unhealthy sentencing. We want to punish, not correct, those convicted here.

As long as that attitude remains dominant, miscarriages of justice will occur within every branch of justice(except for the super-rich).

Re:Hard to feel sympathy

the actually affected people were just regular people

not true, they were iDiots

Re:Hard to feel sympathy

[EGSonikku]

Yes, people who bough $product that differs from $YourPreferredProduct are "iDiots".

Never mind that this happened during the iPad 1 era, when there was essentially no other player in the tablet market.

Re:Hard to feel sympathy

Last time I checked, the majority of prison systems including in the US refer to themselves as "correctional services". Government-sanctioned petty vengeance has no place in a civilised society. It is however in society's best interests to prevent criminals reoffending; preferably in an efficient manner.

Re:Hard to feel sympathy

[i+kan+reed]

What's the goal of punishment? To make criminals feel bad? Who does that benefit, exactly? The victims somehow? Punishment can be an important part of correction, but punishment as deterrent doesn't work very well. Longer sentences after a certain point are correlated with an increase in recidivism. take a look.

What do you imagine you're trying to accomplish by punishing criminals?

Re:Hard to feel sympathy

[i+kan+reed]

Yes, yes, we get that you're a blood-thirsty monster who just wants to kill and kill and kill and kill over the slightest provocation.

Stole some bread? OFF WITH HIS HEAD!!
Littered? TO THE CHAIR WITH YOU!
Posted something mean on the internet? HANG EM LONG AND DRY!
Minority on the wrong side of town? FIRING SQUAD!
Challenged my dim-witted authoritarian views? TO THE GAS CHAMBER!

Countries with the death penalty have higher crime rates.

Re:Hard to feel sympathy

[i+kan+reed]

Look, I get that you're a troll, I really do. You don't have to wave a big flag that says "I'm insincere and trying to provoke a reaction". I just have a position that's pretty well supported, and if some moron wants to put up a fun little straw man for me to tear down, so much the better. Free credence to my claims.

Re:Hard to feel sympathy

[i+kan+reed]

You might as well say "suicide is the point of suicide" and kill yourself. Circular reasoning is lame, and you know it.

And no, I do not believe the underlying purpose of a police force is to serve and protect, but is unfair to say its purpose is contrary to that. Police are a manifestation of asymmetric resources naturally evolved as a part of social evolution. The opportunities that having a standing police police force outweighs the cost to a society, especially when there are good controls on corruption and excessive force.

Re:Hard to feel sympathy

[i+kan+reed]

Calling something lame when it's a fundamental logical fallacy is fine in my book.

Re:Hard to feel sympathy

[pitchpipe]

As long as that attitude remains dominant, miscarriages of justice will occur within every branch of justice(except for the super-rich).

Miscarriages of justice happen all of the time with the super-rich; they can get away with just about anything.

Re:Hard to feel sympathy

[betterprimate]

"The data included email addresses belonging to New York Mayor Michael Bloomberg, New York Times CEO Janet Robinson, ABC's Diane Sawyer, movie producer Harvey Weinstein, former White House chief of staff Rahm Emmanuel and numerous others." http://www.computerworld.com/s/article/9237685/Judge_ignores_leniency_plea_hands_AT_T_hacker_a_41_month_sentence?taxonomyId=17&pageNumber=1

Not really "regular" people.

On His Release, Weev Plans To Run For Congress

[judgecorp]

In an interview Weev says he wants to run for Congress, despite regarding the government as "seditious thugs". http://www.techweekeurope.co.uk/interview/angel-or-demon-hacker-would-the-real-weev-please-stand-up-110637

Re:On His Release, Weev Plans To Run For Congress

[flimflammer]

While I do not like Weev, that's the whole point of running for government especially if you're not a politician by trade... If you think it's being run wrong, you get involved and try to change it. Of course, that is probably a fool's errand at this point unless you can somehow get to the very top without being corrupted on the way.

Re:Well yes but,

[i+kan+reed]

Strictly hypothetically, what rock is this key under? And what's your street address? Just hypothetically, so we can look up the laws in your jurisdiction, and understand which rock not to touch.

Sentencing reveals country's values

[bigonese]

Two young men in steubenville rape a young women and get 1 - 2 years in jail. A man writes a script to get email address from a website and gets 3.5 years in jail. Something's not right.

Re:Sentencing reveals country's values

[Seumas]

It's simple. Society is sick.

Their response to one is "Well, boys will be boys!".

Their response to the other is "Oh my god, if they can webscrape publicly accessible information, the next thing these vial social outcasts will be doing is hax0ring into NORAD and launching nuclear warheads and initiating WWIII and I can't have that because I haven't finished watching Real Housewives, yet!"

Re:Sentencing reveals country's values

[Derekloffin]

Come on now, the combine trauma of those 100,000 people having their emails... oh never mind, I just can't say it with a straight face.

Re:Sentencing reveals country's values

[Nimey]

The rapists are juveniles. Sentencing is different when you commit a crime before the age of majority, and rightly so.

Re:Sentencing reveals country's values

[krlynch]

The Steubenville convictees are legally juveniles. Society has decided that we don't throw the book at them. Had they been adults, they would not be getting sent to a juvenile facility, and they would not be getting out in so short a time. It's hardly an apt comparison.

Re:Sentencing reveals country's values

[jittles]

these vial social outcasts will be doing is hax0ring into NORAD and launching nuclear warheads and initiating WWIII and I can't have that because I haven't finished watching Real Housewives, yet!"

Would you like to play a game?

Oh and I think you meant vile.. A vial is something you use in your chemistry lab! ;)

Re:Sentencing reveals country's values

If the whistle-blower in this case was a juvenile, I suspect there would have been people arguing for him to be tried as an adult.

Re:Sentencing reveals country's values

[dkleinsc]

It's all about who the victim and the perpetrator of the crime is: In the Steubenville case, the victim is a powerless teenage girl, and the perps are a couple of somewhat powerful (at least locally, where the high school football team is a privileged class) teenage boys. In this case, the victim is AT&T (the largest campaign donor in the US), and the perp is a relatively powerless computer geek.

This is just a subset of the more extreme differences: Rob $2000 from a bank, and if you're lucky you won't be shot by the police. Rob $2 billion from a bank, and the SEC or OCC will settle with you for $500 M (25% of your take) and no admission of wrongdoing.

And no, that's not the way it's supposed to work, but it's the way it's actually working.

Re:Sentencing reveals country's values

[SJHillman]

I wish I understood that when I was a minor, I would have had so much more fun...

Re:Sentencing reveals country's values

[Vitriol+Angst]

I'm not sure here if the damage was based on "AT&T's reputation" -- meaning, it hurts their income for people to know you don't need to hack them.

OR

Over 100,000 people now have their reputation's damaged for being associated by email to AT&T.

You know that only 300,000 of AT&T's closest advertisers, spammers and script kiddies have these email addresses.

Is the going rate 2 pennies an email to buy as an advertiser or am I being too pricey here?

Re:Sentencing reveals country's values

[Zontar_Thing_From_Ve]

Two young men in steubenville rape a young women and get 1 - 2 years in jail. A man writes a script to get email address from a website and gets 3.5 years in jail. Something's not right.

You have a point in that "computer crimes" are often subject to penalties that are far overkill because the legal system has few people, both lawyers and judges, who understand technology well. However, the rape case got the verdict it did for a variety of reasons.
1) The young woman wasn't actually "raped" in terms of nobody put his penis inside her, but some idiot young men fingered her and photographed it.
2) She was so drunk that she had no idea what happened. It was the photos that made this even go to trial and provided evidence of a crime.
3) The witnesses disagreed on whether or not she was able to give consent to being fingered and photographed and it became a "Who's story do you believe?" kind of issue.
4) Those convicted were both juveniles and this played some role in the time of the sentence.

I really don't see how anybody can honestly believe "Company X accidentally gave me super secret information that they don't want me to have so it's OK if I send to other people who they don't want to have it because I did nothing in terms of hacking to get it". To met this isn't all that different from you seeing an overturned money truck and grabbing as much money as you can from the spill and expecting to be able to keep it. If those guys really were so naive that they thought they could email the passwords to others, well, maybe their sentences will serve as a warning to others.

Re:Sentencing reveals country's values

[garry_g]

Two young men in steubenville rape a young women and get 1 - 2 years in jail.

A man writes a script to get email address from a website and gets 3.5 years in jail.

Something's not right.

Of course ... once you mess with a big company, your deed is so much worse than anything you could do to another person ...

Re:Sentencing reveals country's values

[Bardez]

Oh and I think you meant vile.. A vial is something you use in your chemistry lab! ;)

Sir, I wish I had mod points to give you!

Re:Sentencing reveals country's values

[Hatta]

The Steubenville convictees are legally juveniles.

Where as weev is simply emotionally juvenile.

Re:Sentencing reveals country's values

[Seumas]

No, a vial is where I keep the crack that causes me to type so fast that I don't notice typos before hitting 'submit'. :)

Re:Sentencing reveals country's values

[Seumas]

Except for all the times when we make exceptions -- and if we can make exceptions for twelve year old children being tried as adults, we can make exceptions for high school boys committing rape. I suppose you could argue that a twelve year old boy could be a stupid enough of a human being to not grasp that moves you see on fake wrestling on television (like a pile driver) should not be attempted on a baby, but you absolutely can not argue that a sixteen and seventeen year old boy doesn't know that it's wrong to commit rape or what common circumstances are commonly classified as rape.

Re:Sentencing reveals country's values

[Seumas]

Sorry, but that's bullshit. We try children as adults all the time. Remember the twelve year old boy who was tried as an adult for doing "pro"-wrestling moves from television on a two-year old, which he wound up killing? How about the thirteen year old girl tried as an adult for stabbing and killing her sister?

And you're going to tell me that a seventeen year old should be judged as having a different capacity for reasoning when it comes to rape than he would in six to twelve months, when he'll be an adult?

Re:Sentencing reveals country's values

[MarkvW]

Foolish comparison. The Steubenville rapists were tried in juvenile court. If the scriptwriter had also been charged in juvenile court, he would have gotten a MUCH, MUCH lesser sentence.

But don't let facts get in the way of your prejudices!

Re:Sentencing reveals country's values

[Comrade+Ogilvy]

Those particular examples of juveniles tried as adults are well known precisely because they are anomalies from the norm. If only more prosecutors applied the discretion demonstrated in Steubenville, Weev would be picking up trash at the side of the road in an orange jumpsuit on weekends, and we would not be having this discussion.

Do you seriously want the DA to throw the entire book at everyone all the time? Because from the POV, Weev only got what he deserved.

Re:Sentencing reveals country's values

[AntiNazi]

2) Guess all date rape cases aren't really rape. Does that also mean that if I kill someone and they are so dead they don't remember what happened that I should only get half the time?

Re:Sentencing reveals country's values

[ZosX]

They should have been tried as adults given the severity of their crimes.

Re:Sentencing reveals country's values

[DrJimbo]

Well I think they meant viral.

Re:Well yes but,

[Seumas]

Also, what time are you hypothetically home?

No understanding of computers or the internet

[jonfr]

This people do not have any understanding of computers or the internet in general. I doubt it is going to change in the future. Since this type of people are generally not computer literature at all and never have been.

I doubt they know even what an IP address is or an hard drive.

Re:No understanding of computers or the internet

[SJHillman]

But they is more English literature than you are, I hope.

Are IP addresses or hard drives relevant here? Sometimes, you don't need to understand every facet of a subject, even the the most common terms, to understand a specific case like this. All they need to understand is how a webserver works, which can be explained satisfactorily in a few minutes. Of course, it seems they neglected to take those few minutes.

Re:No understanding of computers or the internet

[tipo159]

Since this type of people are generally not *computer literature* at all and never have been.

They probably aren't computer literate either.

Re:No understanding of computers or the internet

[jonfr]

I hope that you can read Icelandic and Danish then, or German if I am up to it.

Re:Well yes but,

[Wattos]

If you find my key under a rock in my backyard, it is still theft if you break into my house with it and steal things.

The analogy is not really applicable. This is more like writing all your secrets into a notebook and putting it into a library (in a section accessible to everyone). Then you sue the person who found the notebook.

Leaving the data open to any web request is the true crime here. I do not know about the US, but in Europe that would have been a violation against the Data Protection Act.

Re:Well yes but,

[plover]

No. If you owned an automobile dealership, and wrote down the names and addresses of every customer on a poster, and I asked you for a copy of the poster, and you gave it to me, and then had me prosecuted for displaying the poster, that's the analogy you should be considering here.

Re:Well yes but,

[larry+bagina]

Bad analogy. You stick your dick in a glory hole so your wife can suck it, but it's actually a long-haul trucker on the other side.

they don't understand law, either

[swschrad]

the ATT servers were not secured. the data was figurately lying out on the street, in the old days there would be a black or brown binder holding a galloping shitload of greenbar paper, and if you flipped the binder open, it would say, "LIST OF iPHONE USERS DATA." that is thus insecure data, hence public. ATT's trash blowing across the street. the guy should not have been prosecuted, he should have been given a code for free wi-fi at McDonalds for two weeks.

take note... data wants to be free. if it isn't locked away, it will become so. just like houses and banks, if you lock your stuff up, it isn't free to all any more.

Re:they don't understand law, either

[BitZtream]

And you don't understand how rational people work.

A naked woman standing in the street doesn't mean you suddenly have the right to sexually assault her, or does that sound like its okay in your mind as well?

And lets be clear. Data doesn't give a fuck, so stop that bullshit.

And to be more clear: He took distinct actions to access data. Applying reverse engineering and some packet sniffing he SEARCHED FOR AND FOUND the data in question. It wasn't linked from any normally accessible location or anything else.

His only possible logic for 'not knowing' is if he was so stupid that he didn't understand what he was doing, but being that he got past turning the computer on, we know thats not the case. He intentionally sought out, downloaded, and distributed the data to someone else.

If you can't understand why thats wrong, I really feel sorry for you. I hope you get taken advantage of in the same way so you can get the point.

You can argue that the punishment was retarded, which it was, he wasn't actually malicious, but he DID commit several crimes.

Risk Versus Reward

[tokencode]

This is one of those cases that the defendant should have identified the risk versus reward for releasing this data. He obviously knew the data was not meant to be public otherwise he wouldn't have bothered to send them to prove a security flaw. Risk: Jail-time Reward: ? Name recognition? Better security at AT&T? My equation says no way in hell would I release that data. If you really care about security so much, inform the proper owner of the data, not a news agency.

Re:Risk Versus Reward

[hypergreatthing]

Sometimes doing the right thing is risky, but it weighs on your conscious a little less.
Sure his life is basically a lot of turmoil now, but it exposes a broken judicial system. So in return for having AT&T and the justice dept ruin his life, we might be able to focus on this broken system and help get it repaired once and for all.

Re:Risk Versus Reward

[tokencode]

No, he tried to bolster his own ego and fame. He did not do this to show flaws in the justice system, I'm sure he never thought he would be involved with the justice system over this initially.

Publicly-Accessible Data=Prison??

[BlueStrat]

In 2010, querying a public AT&T database yielded over 114,000 email address for iPad owners who were subscribed to the carrier.

If the database was publicly-accessible, how is it a criminal act, as a member of said "public", to actually access it? That's like a newspaper that accidentally publishes data it considers private and prosecuting readers.

The criminal act was negligence by AT&T. This is simply a distraction and face-saving prosecution to wash AT&T clean of culpability.

Strat

Re:Publicly-Accessible Data=Prison??

[gnasher719]

If the database was publicly-accessible, how is it a criminal act, as a member of said "public", to actually access it? That's like a newspaper that accidentally publishes data it considers private and prosecuting readers.

It wasn't publicly accessible. The information of _one_ iPad owner was accessible to that _one_ iPad owner. He figured out how to make his computer pretend to be many different iPads.

There was some interesting discussion recently about anti-hacking laws were huge problems were caused by the fact that the law makes "exceeding authorized access" a crime, which can then be used to apply in all kinds of situations that actually don't have to do anything with hacking. This one is the opposite: The guy didn't have authorization to access the email addresses of any iPad user, except possibly his own if he owned an iPad. So no "exceeding authorized access" but no right to access at all.

Re:Publicly-Accessible Data=Prison??

[BlueStrat]

In 2010, querying a public AT&T database yielded over 114,000 email address for iPad owners who were subscribed to the carrier.

If the database was publicly-accessible, how is it a criminal act, as a member of said "public", to actually access it? That's like a newspaper that accidentally publishes data it considers private and prosecuting readers.

Publicly-accessible and intended for public use are not the same, and in the circumstances it was clear that this was not intended for public use. Your newspaper analogy fails because while the access controls were nearly non-existent, it was still necessary to actively seek out information on other users by forming deliberately false queries for the server - it wasn't deliberately distributed by AT&T.

There is still the matter of due diligence responsibilities on the part of AT&T to secure the data.

Seems like it's akin to a bank storing stacks of money next to the public sidewalk with nothing but a sign that says "please don't take the money" and prosecuting for bank robbery anybody that takes any of the money.

Sure saves the business a ton on security-related expenses when they can effectively make security measures and security breaches everyone else's responsibility but theirs.

Strat

How does this not qualify as...

[Roskolnikov]

whistle blowing?

if he would have called AT&T and told them he found this, they would have accused him of hacking, he leaks it to a journalist and gets jail? did the journalist turn him in?

Re:How does this not qualify as...

[Endo13]

He probably admitted to it himself, completely underestimating the sheer stupidity our justice system is capable of.

Just because I forgot to lock the door

[Dorianny]

Forgetting to lock my door makes it easier for a thief to enter my house and steal but it doesn't excuse or even lessen the crime, that being said the sentence seems rather excessive for what is little more than a inconvenience to the people affected by the release of their email address.

Re:Well yes but,

[deesine]

Those rocks are for you to look at, not to step on my property and start turning over. Of course, once the cost becomes negligible for a robot to do the rock turning for you, then I'm sure we'll have a rash of home break ins committed by key wielding robots.

A question of disclosure to whom, when.

[Lashat]

Many conflicting articles have been released concerning when the flaw was disclosed to whom. IANAL, but I *think* this may have been the crux of the prosecution's case. If the flaw was disclosed to others before AT&T or perhaps the people whose emails were discovered = crime. If not = no crime.

I am not advocating this position as correct. Just trying to present an opinion.

One of the better articles on the subject of disclosure, still leaves many murky grey area problems for any professional security researcher.
http://www.wired.com/opinion/2012/11/hacking-choice-and-disclosure/

Who stole things?

[Comboman]

If you find my key under a rock in my backyard, it is still theft if you break into my house with it and steal things.

No one is being charged with stealing things. They are being charged with (to extend your analogy) telling the newspaper what an idiot you are for hiding your key under a rock.

Re:Well yes but,

[Endo13]

That's not what happened at all. If you must have a key analogy, here's what happened.

You gave your key to a company for safekeeping. He walked up to the company and asked for your key. They gave it to him. He, in turn, gave it to a news company to point out how flawed the "security" was of the company you gave your key to.

Re:Well yes but,

[PantherX]

If we're going to do analogies, let's pick something that is closer to what actually happened.

If I request a copy of your bank statement that is in your locked home, and you go inside, get it and come back and give it to me, that's not theft.

If you set up an automation to go and get information or things for people outside of your home and the automation gives out the wrong information or things, that's still your responsibility.

Re:Well yes but,

[BitZtream]

Except it was if you were asking for the poster as if you were someone who was supposed to have access to the poster. He was impersonating a person (or machine in this case). He didn't visit att.com and it spewed 100k email addresses at him. He did some traffic sniffing and reverse engineering.

He made an effort to obtain the data. That is what makes it criminal.

reminds me of Harvard B-school hack

[peter303]

Applicants could peek ahead at the status of their admissions by adding a few numbers to their URLs on the site. Harvard rejected all of the people who tried the hack. And told other ivy b-schools about them too who also rejected them.

... and if Google had done this...

[tekrat]

They would only be fined 1 days worth of profits...
Corporations are people too? Bullshit. Corporations are treated better than people, under the law. I seriously suggest that every individual incorporate themselves and, when accused of any wrongdoing, claim it was via the corporation, and suggest that the law take it up with the board of directors.

Re:Well yes but,

[hypergreatthing]

If you find my key under a rock in my backyard, it is still theft if you break into my house with it and steal things.

But if i hand you a camera, you go and take pictures of all your credit cards and hand the camera back to me, is that a crime?
Lets be real here. There was no house, there wasn't a door, there was no security at all. There was no theft, no loss of property. Just a company caught with it's pants down giving out it's customer's sensitive information. Sure, you had to know where to go to get the information, but that doesn't change anything.
If there was an ATM giving away free cash and someone had the smart idea to just ask for all it's cash at once, would he be guilty of a crime? I'd say no. Apparently prosecutors and judges who think internet are like tubes think otherwise.

Re:Well yes but,

[xclr8r]

Try again. If I send you a letter asking for you to send me your key and you send it that is either your own fault or the house keeper's fault (AT&T in this case). You/AT&T have the ability to not send the key. If this was a buffer overflow or some injection attack you might have a point but that is not the case in this instance.

Re:Well yes but,

[omnichad]

I'm sure this is pointless to comment on, but if such robots existed, they could generate their own keys just by taking a picture of the inside of the lock, couldn't they? Fiber optics are great.

...and the moral is...

[clam666]

Don't snitch.

No focus on AT&T liability?

[sl4shd0rk]

The same type of reckless design that went into AT&T's website for registration is symptomatic of the direction the industry has been heading. It represents that YOUR PRIVACY in the hands of a monopoly is not worth two-shits to them. Even if it was "only an email address" it could have easily been your SSN# on a CD, or medical record on an unencrypted laptop, voting record or ballot on a voting machine, whatever. Weev sounds like a jackass, but I would have expected better security from AT&T. If you're going to take the place to be a reactionary "victim" then maybe you should ask yourself who victimized you first -- AT&T perhaps? If AT&T left your car unlocked, would you still blame the thief?

Re:No focus on AT&T liability?

[Rozzin]

If you're going to take the place to be a reactionary "victim" then maybe you should ask yourself who victimized you first -- AT&T perhaps? If AT&T left your car unlocked, would you still blame the thief?

I don't know if I'd blame AT&T for the theft just for leaving my car unlocked, but I'd definitely blame them for it if they gave my keys to anyone who asked.

Re:Well yes but,

[flimflammer]

You are really bad an analogies.

Re:Well yes but,

[flimflammer]

You clearly don't understand how breaking and entering works. Merely pushing open the door once you unlock it with the key you found is sufficient force to become breaking and entering. If you do it with the intent to take something, it instantly becomes burglary.

Re:Well yes but,

[flimflammer]

BULLSHIT. Unless you *actually steal something*.

Trespassing is still a crime, even if you don't steal anything from a residence.

Re:a monster off the streets. everyone is safer.

[flimflammer]

s/streets/internet

Now you can toss the sarcasm tag.

Re:FAT&T

[tokencode]

The same fine for leaving your door unlocked to your house, none. Making something easy to steal does not negate he fact that it was stolen.

He asked for it

[harlows_monkeys]

The day before sentencing, he did an AMA on Reddit, and in that he said that he was sorry that he did not do more harm, and said the next time he will do much more harm.

The prosecutors saw this and brought it up at the sentencing hearing, and it is likely a factor in why he got a relatively long sentence.

If anyone should get 41 months...

[loshwomp]

If anyone should get 41 months, it's the ATT folks responsible for letting anyone with an IP address pull the private data out of a public server.

Show me.

[westlake]

We have convicted rapists and murderers that seem to get off with lighter sentences than people that do anything that involves a computer these days, even if the results don't hurt anyone and only embarrass a company or some govt. personnel.

Show me the numbers and then we can talk.

Real stats for the rapist and murderer. Real stats for the geek whose computer-related crimes earned him hard time.

In the American federal system, crimes of violence are almost always prosecuted under state law.

Execution List 2012 Each state on this list, for example, has executed between 1200 and 1300 death row inmates since 1976.

Federal Executions 1927-2003: 23.

The DOJ's Computer Crime & Intellectual Property Section archives its press releases of charges and convictions dating back to 2000. It's a useful corrective to the notion that the geek's crimes are victimless. That he hasn't hurt anyone.

CCIPS Press releases

Re:Well yes but,

[Theaetetus]

If you find my key under a rock in my backyard, it is still theft if you break into my house with it and steal things.

The analogy is not really applicable. This is more like writing all your secrets into a notebook and putting it into a library (in a section accessible to everyone). Then you sue the person who found the notebook.

That's not an applicable analogy either. They had to spoof the ICC identifiers in order to get the data, so this would be like going to the post office and saying "Hello, my name is Mr. Burns. I believe you have some mail for me?" You're not asking for publicly accessible information - you're explicitly asking for confidential information using a fraudulent identity. Now, sure, their security system sucks, but it's still breaking and entering regardless of whether someone's house has a screen door or a solid metal door.

Re:Well yes but,

[Theaetetus]

Try again. If I send you a letter asking for you to send me your key and you send it that is either your own fault or the house keeper's fault (AT&T in this case). You/AT&T have the ability to not send the key. If this was a buffer overflow or some injection attack you might have a point but that is not the case in this instance.

They did spoof an identity in each request. So, this would be like you sending me a letter asking me to send you my key while pretending you're the neighbor I paid to housesit while I'm away. And then you send a million of those letters, knowing that odds are that someone has a neighbor housesitting for them who will panic and send the key. Sending the letter or the GET request isn't the crime, it's the fraudulent misrepresentation of your identity to gain confidential information that's the crime.

Are we all forgetting

[segin]

That this is the same weev that took control of the GNAA after 'timecop' fell out?

public database?

[fazey]

What exactly is a public database? and why would at&t be storing customer information in it?

When I had the chance

[kilodelta]

I once worked as the I.T. Director for the State AG's office. I coached a lot of prosecutors on technology issues. But on the federal level it is different. It's more isolated, knowledge sharing is almost frowned upon.

But in my view, a prosecutor who has more than a passing knowledge of technology and infosec is a better prosecutor.

Re:Well yes but,

[MiG82au]

Have you even looked at how a pin tumbler lock works? All you'd see is a series of pins at a constant height.

Death Penalty

[Tenebrousedge]

Indulge me in a little hyperbole: for a friend of mine, hacking AT&T was a death sentence.

Lance Moore was involved with LulzSec, foolishly no doubt. As an AT&T technician of some sort, he acquired and subsequently distributed some internal corporate documents. The Justice department is liable to be a more accurate source of the specific complaints. He was caught. The FBI seized its opportunity to bring the hammer down. I've seen various figures given for the amount of jail time he was facing; somewhere between five and thirty. He was found dead by his own hand on February 24 of last year. His crime has by now likely been forgotten by all that were involved with it.

Sixteen other people were arrested the same day that he was arrested. I don't know their stories. The reader may judge whether justice was served.

Jury Nullification

[ka9dgx]

A competent jurist would have nullified the verdict, having found the law injust.

We NEED jury nullification to be wide-spread and stop this shit.

Re:FAT&T

[blackpaw]

Bad analogy. A public company made *other* peoples private data freely available, by negligence and/or incompetence. Completely different to a private individual making their own data public.

Juvenille Justice

[westlake]

Two high school kids just got 1 year each for raping a drunk 16 year old at a party (where people actually filmed and took pictures of it happening)..

It is not a determinate sentence.

Ohio Youth Services can keep them locked up until they are 21, if they think it is appropriate. They will then become registered sex offenders ranked by a judge according to the threat they appear to present at that time. Two teens found guilty in Steubenville rape case

Hackers might not survive 41 hours

[Frank+T.+Lofaro+Jr.]

Also, the average computer hacker is likely to get raped within 41 hours, never mind 41 MONTHS! (3 YEARS, 5 months)

He's gonna get it on the inside. He'll be better off than the child molesters, but that's about it. Hacker = easy prey.

Hans Reiser was a hacker and also a killer, and he even got beat up in prison. This guy is just a hacker.

Re:FAT&T

[ogdenk]

Yes but if I ask you for your stuff and you give it to me, that's not theft. That's you not paying attention.

He didn't TAKE the information from the computer. He asked and it willingly gave it up. No hacking required. That makes it a public service connected to the public internet. The info contained on that public service should be fair game.

Twisting facts and being ignorant of how the internet works is no excuse for sending this guy to jail. Being an asshole wannabe is not a crime.

Re:FAT&T

[ogdenk]

And as an added thought.... I'm sure that jury was stacked full of technically minded folks with a good grasp on networking technologies that completely understood the allegations.

If they keep this up...

[aralin]

... US will be deprived of all hackers, nobody will dare to probe systems for security for fear of exorbitant punishment, the country's infrastructure will be vulnerable and in serious danger. Further, the curiosity of young people is turned away from computer systems at a time when we are suffering under a crucial shortage of computer nerds. If there ever is a next war, it will have a strong cyber component and the US will be so painfully inadequate it will feel like slaughter by the Russians and/or Chinese. Those prosecutors should be shot for treason as a matter of national cybersecurity.

Bad analogy

[dbIII]

It's more like taking a photograph of your house from the fence line. Serves you right for having the curtains open and no pants on at the time.
Thus we've got a criminal conviction of the guy that caught AT&T with their pants down. The difficult question is should it be a crime or not and does it really deserve such a harsh sentence - it looks a lot like a head on a pike to discourage others to me, so more "might makes right" than anything you'd wish for in a western democracy.

another reason to boycott AT&T's fine products

[0-9a-zA-Z_.+!*'()123]

if their pricing and quality (or lack thereof) weren't enough.

Help with an analogy

[oxdas]

My first reaction to this verdict was that a crime had not been committed, but the more I think about it, the less certain I am. I have come up with an analogy to help me sort it out:

A business writes the names and personal information of its customers on an ourside wall. In order to access the wall, a person must first walk down an alley. The alley leads directly to the street and there is not any security or signs indicating if the alley is public or private. I walk down the alley and see the data. I return later, with a notepad, and record all the customer information. I turn over the information to a local newspaper. It turns out the alley was private property.

Have I committed a crime? If yes, which crimes and what punishment could I expect?

Re:Help with an analogy

[countach]

But its not a private alley, its a public alley that the company thought was a private alley.

Re:Help with an analogy

[oxdas]

Are you suggesting that the server was public property?

The hardware was private and the intention of the company was for the information to be private. Now, they displayed the information in a manner that allowed anyone to gain access to it without explicit knowledge that it was private information. This is what I am trying to capture in the analogy.

Magnificent freedom circling the drain

[pha3drs]

As with so many freedoms, lack of proper understanding leads to all sorts of trouble, cost, harm and ultimately death. I remember during the dawning of GNU, playing with these new innovations before the ludite lynch mobs, when the word "hacker" was only known by the uber informed few. As with everything that becomes popular we must accept a certain level of legislation but things are completely out of control and innovation is paying the ultimate price. The prosecutor on this case should be barred from practicing law at the least, however, war mandates a much more final outcome. I have tapered my ./ visits as of late because it continues to deliver articles that really piss me off. I send letters to the talking heads daily, I support open source everything but have that looming feeling that this is going to turn violent before we see a solution because there is virtually no place to direct ones rage / effort that has any effect what-so-ever.

ridiculous

[mladams]

That was a major oversight on the part of ATT. Whether the defendant's actions were malicious or not, ATT is at fault here. There is NO EXCUSE for their publishing all of that private information freely on the internet. ATT are NOT victims...they are perpetrators even if it is through their own incompetence. The fact that they pressed charges and that this sentence has gone this way has ensured that I will not use ATT as a carrier in the future...wow, what scum bags!