Slashdot Mirror

← Back to Stories (view on slashdot.org)

41 Months In Prison For Man Who Leaked AT&T iPad Email Addresses

Posted by Soulskill on from the looked-at-a-poster-and-told-somebody-about-it dept.

In 2010, querying a public AT&T database yielded over 114,000 email address for iPad owners who were subscribed to the carrier. One of the people who found these emails, Andrew 'weev' Auernheimer, sent them to a news site to publicize AT&T's security flaw. He later ended up in court for his actions. Auernheimer was found guilty, and today he was sentenced to 41 months in prison. 'Following his release from prison, Auernheimer will be subject to three years of supervised release. Auernheimer and co-defendant Daniel Spitler were also ordered to pay $73,000 in restitution to AT&T. (Spitler pled guilty in 2011.) The pre-sentencing report prepared by prosecutors recommended four years in federal prison for Auernheimer.' A journalist watching the sentencing said, 'I felt like I was watching a witch trial as prosecutors admitted they didn't understand computers.'

62 of 459 comments (clear)

  1. Good by kamapuaa · · Score: 4, Insightful

    Know I'll get modded down for going against Slashdot groupthink. But what is the argument suggesting? "It all happened on a computer, it shouldn't be prosecuted?" Stealing private information and releasing in publicly isn't just obviously illegal, it caused grief for 114,000 people.

    Even if AT&T has a shitty security system, that doesn't make it legal to break in. I'd love to see Slashdot do more mundane crimes. Maybe the home had a sign saying "beware of dog," but the dog was actually at the vet, so the robber was just publicizing a security flaw.

    --
    Slashdot: providing anti-social weirdos a soapbox, since 1997.
    1. Re:Good by 1729 · · Score: 5, Insightful

      He didn't "break in". He sent requests to a publicly-accessible web server, and AT&T sent back private information. This wasn't hacking, or even a DOS attack. AT&T is at fault here.

    2. Re:Good by MetalliQaZ · · Score: 4, Insightful

      AT&T publishes the addresses on the web, even though they aren't advertised, they are essentially free to anyone who knows where to look.

      Guy finds it, attempts to blow the whistle

      Guy is criminal, AT&T takes no liability

      Justice!

      --
      "Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
    3. Re:Good by Mullen · · Score: 5, Insightful

      As someone else pointed out, all he did was request data from a public server and AT&T sent it to him. Also, he got 41 months for forwarding 114,000 email addresses to news site, which is overkill. Had he physically broke into an AT&T office and took the email addresses from someone's desk, he would have received less prison time.

      He should have been given community service at the most, and then got an award for exposing a flaw from AT&T.

      --
      Linux O Muerte!
    4. Re:Good by Anonymous Coward · · Score: 5, Insightful

      That. It's a flaw that AT&T never would have addressed without public pressure. Further, Mr. Auernheimer did not release private info to the public -- the news agency to which he released the then already-public information is responsible for further publicizing it.

      Bottom line: it is ludicrous-speed absurd to prosecute somebody for publicizing already public information. If a newspaper accidentally prints the names and addresses of its entire subscriber base in the classifieds, and I call them to report it, can I then be held accountable for "releasing" the information?

    5. Re:Good by coniferous · · Score: 3, Interesting

      Actually, they are both at fault here.
      I don't see a huge effort by Andrew to contact AT&T and say "uh, guys, you have a huge problem here".
      It's very easy to percieve his actions in a malicious way.
      Not that AT&T didn't goof, but this was the wrong way to address it.

    6. Re:Good by jxander · · Score: 2, Insightful

      Meatspace analogy :

      If a bank didn't have a door on it's vault, or any forms of security whatsoever, would you walk in and take out all the money? Even if you proceeded directly to the local police department to report the security flaw and deliver the unguarded money, you'd find yourself in quite a bit of trouble.

      --
      This signature is false.
    7. Re:Good by 1729 · · Score: 4, Insightful

      Nearly everything Weev does is malicious, but the question is: is it (or should it be) illegal? He was convicted of identity fraud and "conspiracy to access a computer without authorization". Think about that: requesting unprotected publicly-accessible webpages is "access[ing]" a computer without authorization". By that standard, anyone who uses the internet could be convicted of a crime.

    8. Re:Good by jd659 · · Score: 2

      A better analogy: A bank has a web server that takes person's name and returns that person's SSN. A "hacker" sends your username and gets your SSN. He does that for several people from the phone directory. Hacker goes to prison for the BANK'S FAULT of exposing SSNs.

      --
      There's no such thing as "illegal download"
    9. Re:Good by 1729 · · Score: 4, Insightful

      Meatspace analogy :

      If a bank didn't have a door on it's vault, or any forms of security whatsoever, would you walk in and take out all the money? Even if you proceeded directly to the local police department to report the security flaw and deliver the unguarded money, you'd find yourself in quite a bit of trouble.

      Here's a better analogy: you send the bank self-addressed stamped envelopes, and they willingly send private information about their clients back to you in those envelopes.

    10. Re:Good by erroneus · · Score: 2

      The crime wasn't breaking in (as this has been repeated over and over again), it was disclosure.

      Part of the problem is that the prosecutors are simply ignorant as to what they are prosecuting. So any "evidence" presented was done without understanding of what they were asserting. That's quite disturbing on its own.

      The "offense" isn't necessarily hacking, because that is not what happened (though it is 'believed' to have happened). What he did was collect the information and present it to the media to bring light to this otherwise serious breech -- a breech that was in active exploitation by others at that time. So, the crime was putting light on the problem.

      There is a valuable lesson to be learned here. If you disclose, do it anonymously. If you don't, someone ignorant will try to prosecute. What's more, if you try to report it to the compromised party (such as AT&T in this case) they will still likely have you charged with some computer crime as has been demonstrated in the past. The only option left is fast and anonymous disclosure and to HOPE that black hats don't abuse the information before it is fixed. (We know this won't happen.)

      So, don't tell AT&T their pants are down or they will blame you for taking their pants down. Instead, whisper it to other people and let the whole world laugh at AT&T before they can respond. We know that keeping the secret "secret" will not help the public servicing entity because whether someone speaks out or not, the wrong people WILL know of the problem. The right people (the public servicing entity) need to be notified and made aware of the problem(s). But there is significant risk to the messenger. So that message must be disclosed anonymously and publically. What other choice is there?

      AT&T... you have just painted yourself and all other large litigious companies into a very awkward and even dangerous position.

    11. Re:Good by coniferous · · Score: 2, Insightful

      Based on the context it was more then just accessing publicly available data. It's not as if he clicked on an link and went "Oh, look, a bunch oh e-mail addresses!". There was effort involved into getting to that list.

      That being said, even if he did run into a bunch of e-mail addresses by being in the wrong place at the wrong time.. e-mailing that list to someone and going "OMG LOOK AT THIS" was proof that he knew the seriousness of the list he found. It cannot be argued that he did not know what he was doing.

    12. Re:Good by hazah · · Score: 4, Interesting

      What did AT&T get fined?

    13. Re:Good by malakai · · Score: 4, Insightful

      First off, the whole reason these guys got whacked by the judge is because they did the standard script-kid thing and went onto IRC and boasted about it, and talk about how they were going to take down AT&T, and make a name for their security company ( Goatse Security, obvious play on goat sex troll )

      He didn't "break in". He sent requests to a publicly-accessible web server, and AT&T sent back private information. This wasn't hacking, or even a DOS attack. AT&T is at fault here.

      By that rationale, any request on a web server via the HTTP GET or POST that could escalate privilege or divulge private data should go unpunished. You realize the number of vulnerabilities accessible via a well crafted GET URL? XSS, SQL Injection, tons of stuff. Ignore the fact HTTP is even involved here. This is no different than finding a weakness at any other level of the OSI model, the fact people can easily understand HTTP GET's doesn't make them any less serious and dangerous to an attacker.

      Honestly, this has been argued over the Ping of Death back in the day. I mean, your simply sending an ICMP packet via a ping command, it's not like your hacking.

      In the end it's about context. Exploiting a weakness is by definition hacking. Just because the hack isn't enigmatic, doesn't mean it's not a hack. Look at Jon Draper and a plastic whistle that happened to hit 2600hz easily.

      "But it's just a guy blowing a whistle into a phone, it's not hacking".

      These guys crafted a specific HTTP GET request that returned private data. The key in this request was generated by them based off a known flaw in ATT's systems (using ICC-ID as a semi private key). Then they shared that data with a news organization.

      Sure, those of us in the industry can shake our head at how stupid AT&T was, but at the same time most of us recognize the line these two guys crossed. It's one thing to send an e-mail to AT&T and copy a security mailing list with a simple example, it's another to write a program and automate the extraction of over 120k e-mails and then package the data and send it to Gawker, while boasting about it on IRC channels.

      Auernheimer likened his actions to walking down the street and writing down the physical addresses of buildings, only to be charged with identity theft.

      I could make the same argument for randomly trying passwords against accounts. "I'm just checking to see if this key happens to work in this door...."

      --
      -Malakai
      A Dragon Lives in my Garage
    14. Re:Good by TemperedAlchemist · · Score: 5, Insightful

      Give away emails to demonstrate a security flaw? 41 months in prison.

      Rape, molest, and humiliate a sixteen year old girl? 12 months in prison.

      Justice.

      ---

      I love you, America.

    15. Re:Good by BitZtream · · Score: 4, Interesting

      No, he made explicit requests for information using trial and error and reverse engineering to find a location that would divulge sensitive information to him.

      It didn't throw shit at him, he went digging for it.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    16. Re:Good by Anonymous Coward · · Score: 4, Funny

      1. Set up web site with TOS disallowing access for any reason.
      2. Trick lawmakers into accessing your site.
      3. ???
      4. Profit!

    17. Re:Good by cayenne8 · · Score: 5, Insightful
      Even with all you said, the penalty for these 'computer crimes'....is WAY off base as far as matching punishment with crime.

      We have convicted rapists and murderers that seem to get off with lighter sentences than people that do anything that involves a computer these days, even if the results don't hurt anyone and only embarrass a company or some govt. personnel.

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    18. Re:Good by 1729 · · Score: 4, Informative

      Isn't a key element of the legal case that he also retransmitted the private information? He did not merely receive it.

      From the court filing, it appears both charges are predicated on the notion that sending GET requests to an unprotected, publicly-accessible web server constitute unauthorized access under Title 18, Section 1030(a)(2)(C).

    19. Re:Good by 1729 · · Score: 2

      He didn't "break in". He sent requests to a publicly-accessible web server, and AT&T sent back private information.

      Like sending "requests" to a publicly-accessible ATM using cards with other people's information on them, and then taking the money the bank "willingly" gives you.

      Yeah, I totally see the difference between that and "breaking in" to an ATM.

      No, that would be like to trying to impersonate people by guessing their passwords. In Weev's case, there was no authentication to circumvent.

    20. Re:Good by Anonymous Coward · · Score: 5, Insightful

      But he didn't trespass -- he didn't break any laws or even conventions regarding the distinction between public/private property in requesting and being provided this information. If the pile of gold in your unfenced yard was on a conveyor that could be activated from the street, I think you would be hard-pressed to convince anyone that you intended the gold to remain in your yard. Likewise, spewing out customer details in response to a simple sql query to a public-facing DB server, which requires absolutely no circumvention of existing security measures, is difficult to paint as an earnest attempt to make a public/private delineation, and thereby prevent even accidental leakage.

      As has already been pointed out, the key charge here is "access[ing] a computer without authorization." Since the publicly-facing DB server was not in any sort of secured or even posted enclave, it can only be presumed that the court finds the mere act of interfacing with this system a crime for no reason other than that AT&T has established the server as "private" after-the-fact. That opens up a terrifying door in that any service provider could suddenly declare you persona non grata retroactively, and bring similar criminal charges against you. While that's certainly a leap, it's not a big one...

    21. Re:Good by CanHasDIY · · Score: 2

      I don't see a huge effort by Andrew to contact AT&T and say "uh, guys, you have a huge problem here".

      Then you have never tried to contact them about... well, anything.

      Not even being snarky, just relating my own experiences; I have to deal with AT&T every day, and getting them to so much as acknowledge a problem on their end, let alone do anything to fix it, is similar to attempting to snorkle to the bottom of the Marianas Trench.

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
    22. Re:Good by Synerg1y · · Score: 2

      Well... it would more like a farm... you'd enter my 100 acre farm, drive around and randomly spot exposed gold that I did not intend to expose to you, but forgot to bury yesterday because aunt laura swung by. No signs differentiate the gold's space from any other, but you clearly know you're on my land and you know that gold is valuable. I never argued the street's case, besides that I have no expectation of security around the gold on the street, at&t's network would be a private residence owned by at&t.

    23. Re:Good by jeffmeden · · Score: 3, Insightful

      Meatspace analogy :

      If a bank didn't have a door on it's vault, or any forms of security whatsoever, would you walk in and take out all the money? Even if you proceeded directly to the local police department to report the security flaw and deliver the unguarded money, you'd find yourself in quite a bit of trouble.

      Here's a better analogy: you send the bank self-addressed stamped envelopes, and they willingly send private information about their clients back to you in those envelopes.

      If those envelopes were in any way a misrepresentation of your legal desire to communicate with your bank (such as an incorrect identity, overstated request, etc) then you, the sender, are guilty of mail fraud. Do not pass go, do not collect $200. The legal system seems to be pretty mysterious to a large part of slashdot...

    24. Re:Good by PRMan · · Score: 3, Interesting

      How about this analogy:

      Your doctor tells you your medical records will be posted in the front window of a white house at 123 Main St. You notice that the street is full of white houses. Just out of curiosity, you go to 125 Main St and see someone else's medical records. 121 Main St., the same thing. In fact every house on the block has a different person's medical records. You see a bunch of other people on the street, going to get their medical records from their respective houses. You joke out loud that you could make a lot of money selling everyone's medical records to some guy in the Ukraine. You tell the hospital that this is a lousy way to communicate medical records.

      You get 41 months in prison for viewing everyone's medical records (in plain view) and for your "intent" to sell them to some guy in the Ukraine.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    25. Re:Good by coniferous · · Score: 2

      Yeah, but he didn't bring "the gun" to a teacher. He brought it to a fellow student.

    26. Re:Good by Anonymous Coward · · Score: 2, Insightful

      There was precisely zero reverse engineering required for anyone with an IQ above room temperature, and the "trial and error" amounted to nothing more than trying one address after another with point-and-click port scanners.

      For the old fogies: he dialed every phone number assigned to your local bank until he found the desk of a moron who would answer every question posed without asking for either authorization or identification, even if it included personally identifiable information for the bank's customers.

      While the activity is dubious and the perpetrator is obviously a Bad Man (TM), there is nothing illegal about calling and asking for information. Providing said information, on the other hand, violates innumerable consumer protection laws and PII handling regulations applicable to various industries. The fact that the "hacker" in this instance is facing jail time while the "victim", AT&T, suffers not even a slap on the wrist, is the ultimate perversion of justice. Anyone who needs more proof regarding who and what actually runs this country simply isn't paying attention.

    27. Re:Good by Hatta · · Score: 3, Insightful

      Damn. Guess I better switch hobbies.

      --
      Give me Classic Slashdot or give me death!
    28. Re:Good by fatphil · · Score: 2

      He did ask before they gave it to him though. It wasn't thrown at him unrequested.

      However, money is an unneccessary ingredient here - all he got was information. The only people who will give an analogy involving money are those who want to equate what he did with stealing. But that is nothing but misleading sophistry.

      He went up to the reception desk and said "can I have the name and address of client 1000000000 please?" which they then gave him. He then said "and for client 1000000001 please?" which then then gave him. Etc.....

      --
      Also FatPhil on SoylentNews, id 863
    29. Re:Good by 0100010001010011 · · Score: 3, Insightful

      Stupenville rape case. The raped an unconscious girl. Drug her between parties. Tweeted about it.

      Serving a minimum of a year. "Could" be in jail until they are 21, but unlikely.

    30. Re:Good by ais523 · · Score: 2

      There are laws against what AT&T did in the UK (if you're storing information about a person that's sufficient to identify that person, you can't make it public without their permission, although you can obtain their permission when you obtain the information). Ones that are considered important enough to be taught in schools.

      --
      (1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
    31. Re:Good by fatphil · · Score: 2

      > By that rationale, any request on a web server via the HTTP GET or POST that could escalate privilege or divulge private data should go unpunished.

      Not at all! The site leaking the information should be held responsible, and if it's clear punishment is due, they should take it like a man.

      > These guys crafted a specific HTTP GET request that returned private data.

      No craft was involved. They were handed that GET request by the server, in order for their browser to later resolve it for their own legal use. All they did was resolve trivial variations on it. Admittedly, that might be considered "craft" by the incompetents presiding over the court, but it's no higher tech than sharpening a stick.

      And if the data was *private* it shouldn't have been accessible to arbitrary clients without secure identification. AT&T made the private data public.

      --
      Also FatPhil on SoylentNews, id 863
    32. Re:Good by dmbasso · · Score: 3, Insightful

      Indeed, but I guess it wouldn't make a difference if he just showed how to do it, instead of actively forwarding the addresses.

      But what bothers me is not that he's being punished, but the severity of the punishment. 41 months in jail? Please, remind me how many months in jail did the Santander employees responsible for money laundering for terrorists get... oh, wait, I remembered, they didn't even get prosecuted, because rich people can screw everybody freely.

      --
      `echo $[0x853204FA81]|tr 0-9 ionbsdeaml`@gmail.com
    33. Re:Good by QuantumRiff · · Score: 4, Informative

      Two high school kids just got 1 year each for raping a drunk 16 year old at a party (where people actually filmed and took pictures of it happening).. http://www.sheboyganpress.com/viewart/20130318/SHE0101/130317029/Two-Ohio-high-school-football-players-convicted-raping-girl-16

      and this guy gets more than 3 times that for mentioning that a web site will give out people's private email address after AT&T did nothing about it?

      --

      What are we going to do tonight Brain?
    34. Re:Good by Anonymous Coward · · Score: 2, Informative

      Because they were minors one of them got 1 year and up to age 21 and the other one got 2 years with the possibility of serving til they age of 21. They also both have to register as sex offenders for the rest of their lives which in some states means they cant live within so many feet of a school or church, can never have a job where they work with kids, can never own a firearm, can't be a cop etc.

      Not that they don't deserve it, they do, but the idea that they are getting off scot-free is not correct.

    35. Re:Good by Jane+Q.+Public · · Score: 3, Insightful

      "... you can't really assess the damage done by publishing 1k+ email addresses."

      He DIDN'T publish the addresses. He sent them to the newspaper as proof that AT&T was screwing up. If the newspaper published them, you can blame the newspaper. It sure as hell wasn't his fault.

    36. Re:Good by Hatta · · Score: 2

      In this case Mr. Auernheimer did intend to obtain addresses that were *only going to be exposed to someone deliberately looking for them* and therefore he is afoul of the law.

      The law prohibits unauthorized access. Not unlikely access. No authorization control means access is authorized.* The deliberate ignorance of the prosecutors and jury notwithstanding.

      *Assuming anything else breaks the entire internet irrevocably.

      --
      Give me Classic Slashdot or give me death!
    37. Re:Good by Anonymous Coward · · Score: 3, Insightful


      . . . say I left a pile of gold in the street, I can't have any expectation it'll be there tomorrow, the streets not mine, but say I left it in my yard, and it's unfenced, to get it, you have to trespass + it's on my property. That's what this guy did, he trespassed and took it . . .

      No, he didn't trespass. The owner had a clear understanding with the public that they were allowed in the yard. The man saw a pile of gold in the yard and asked the local robot - which the owner had configured to hand out various piles of sand, peanuts, dirt, grass clippings and other things in the yard. The local robot obliged and the requestor found it uncomfortable that something so significant had been handed out without question.

      Your analogy is broken.

    38. Re:Good by jklovanc · · Score: 2

      Actually the GET request required the ICC-ID of the device to get the email address for that device. The ICC-ID could be construed as a the name of the owner of the device asking for the information and therefore he was fraudulently impersonating someone else when making the requests

    39. Re:Good by Anonymous+Brave+Guy · · Score: 3, Interesting

      ...sending GET requests to an unprotected, publicly-accessible web server constitute unauthorized access...

      Am I reading this right? Someone was convicted of a criminal offence because he did something that search engines like Google do millions of times every day?

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    40. Re:Good by Theaetetus · · Score: 2

      Isn't a key element of the legal case that he also retransmitted the private information? He did not merely receive it.

      From the court filing, it appears both charges are predicated on the notion that sending GET requests to an unprotected, publicly-accessible web server constitute unauthorized access under Title 18, Section 1030(a)(2)(C).

      Actually, from your own link, the charges were predicated on the notion that spoofing an identity in order to fool someone into giving you confidential information is a crime. These weren't just GET URL requests like your browser is sending to read Slashdot, but requests with spoofed IDs - closer to sending GET requests to Slashdot with spoofed cookie IDs in an attempt to get emails of other Slashdot users.

      Or, as an analogy, this would be like calling a phone number and saying "Hi, this is Bill at [Bank of America/Sovereign Bank/Citizens Bank/DCU/etc], and there's been a fraud report on your account. So that we can unlock your account, can you verify your full name, address, date of birth, and social security number," and trying it with different bank names each time until the person stops saying "but I don't have an account with your bank" and responds "oh, gracious, that's my account. Here's my info." Except that you do that thousands of times a second.

      The point is that you wouldn't be arrested for "making a phone call" or "sending GET requests," but obtaining confidential information through fraud.

    41. Re:Good by loshwomp · · Score: 3, Insightful

      What if one of those email addresses is an old lady that gets scammed by a nigerian prince? What if it's 100 of those emails that that happens to?

      If it's that serious then we need to find AT&T criminally negligent for letting absolutely anyone get all those private email address. If it's not that serious after all, then there's no point in railroading the guy who reported the problem, but we can't have it both ways.

    42. Re:Good by Luckyo · · Score: 2, Interesting

      "Little punishment"? US justice system is draconian when it comes to punishing crime. These guys are going to have a stigma of "sex offender" for their entire lives on them now.

      What the hell happened to rehabilitation? You know, getting both the victim and criminals rehabilitated to be able to live good lives without the spectre of rape hanging over them? Now victim gets "vengeance" which solves absolutely nothing for her, and two guys went from low grade passion criminals to having completely destroyed lives coupled with likely recidivism due to problems with US incarceration system. Hooray for more victims. Get the rope, I hear hanging solves all the problems in frontiersman's land.

      Same thing could have been used in the crime of that guy. Instead of throwing him into jail, have him fined and have him have face to face meetings with people who he basically fucked by giving all spammers and scammers in the world their email addresses. Let him hear about actual, real and tangible effects of his "gray hacking" or whatever it is that his lawyers tried to dress it up as. And lastly, have him see the impact on the company he was supposed to be working for, perhaps have him do the work to secure all of their servers for a while under threat of prison for pennies. Perhaps then he would have found a much greater insight as to how difficult it is to manage a huge infrastructure company and next time forward his finds up the ladder instead of pretending to be a wannabe hero.

      But hey, prisons must make profits.

    43. Re:Good by Jane+Q.+Public · · Score: 2

      "Think about what you just said for a second... now go make the real posters sandwiches."

      You are claiming that Gawker has no responsibility for publishing? According to the official accounts, "Goatse Security" had tried to contact several "more responsible" news outlets to get the story out. They only resorted to including some emails with the story when that failed, in order to verify that it was real.

      Never mind their motivations. Yes they acted irresponsibly. But that is as may be. They weren't responsible for first "publishing" emails.

      Now go make some cheese sandwiches for Goatse.

    44. Re:Good by runeghost · · Score: 2

      He's being jailed for pointing out that the emperor wasn't wearing any clothes. Welcome to 21st Century America.

  2. Hard to feel sympathy by i+kan+reed · · Score: 4, Insightful

    The purported target, AT&T, is hardly the nicest organization, but the actually affected people were just regular people. This doesn't seem especially out of line with the USA's normal unhealthy sentencing. We want to punish, not correct, those convicted here.

    As long as that attitude remains dominant, miscarriages of justice will occur within every branch of justice(except for the super-rich).

  3. On His Release, Weev Plans To Run For Congress by judgecorp · · Score: 2

    In an interview Weev says he wants to run for Congress, despite regarding the government as "seditious thugs". http://www.techweekeurope.co.uk/interview/angel-or-demon-hacker-would-the-real-weev-please-stand-up-110637

  4. Re:Well yes but, by i+kan+reed · · Score: 2

    Strictly hypothetically, what rock is this key under? And what's your street address? Just hypothetically, so we can look up the laws in your jurisdiction, and understand which rock not to touch.

  5. Sentencing reveals country's values by bigonese · · Score: 5, Insightful

    Two young men in steubenville rape a young women and get 1 - 2 years in jail. A man writes a script to get email address from a website and gets 3.5 years in jail. Something's not right.

    1. Re:Sentencing reveals country's values by Seumas · · Score: 5, Insightful

      It's simple. Society is sick.

      Their response to one is "Well, boys will be boys!".

      Their response to the other is "Oh my god, if they can webscrape publicly accessible information, the next thing these vial social outcasts will be doing is hax0ring into NORAD and launching nuclear warheads and initiating WWIII and I can't have that because I haven't finished watching Real Housewives, yet!"

    2. Re:Sentencing reveals country's values by Derekloffin · · Score: 4, Insightful

      Come on now, the combine trauma of those 100,000 people having their emails... oh never mind, I just can't say it with a straight face.

    3. Re:Sentencing reveals country's values by krlynch · · Score: 4, Informative

      The Steubenville convictees are legally juveniles. Society has decided that we don't throw the book at them. Had they been adults, they would not be getting sent to a juvenile facility, and they would not be getting out in so short a time. It's hardly an apt comparison.

    4. Re:Sentencing reveals country's values by dkleinsc · · Score: 3, Insightful

      It's all about who the victim and the perpetrator of the crime is: In the Steubenville case, the victim is a powerless teenage girl, and the perps are a couple of somewhat powerful (at least locally, where the high school football team is a privileged class) teenage boys. In this case, the victim is AT&T (the largest campaign donor in the US), and the perp is a relatively powerless computer geek.

      This is just a subset of the more extreme differences: Rob $2000 from a bank, and if you're lucky you won't be shot by the police. Rob $2 billion from a bank, and the SEC or OCC will settle with you for $500 M (25% of your take) and no admission of wrongdoing.

      And no, that's not the way it's supposed to work, but it's the way it's actually working.

      --
      I am officially gone from /. Long live http://www.soylentnews.com/
    5. Re:Sentencing reveals country's values by Hatta · · Score: 2

      The Steubenville convictees are legally juveniles.

      Where as weev is simply emotionally juvenile.

      --
      Give me Classic Slashdot or give me death!
  6. Re:Don't understand computers? by Jawnn · · Score: 4, Insightful

    That the defendant did not "break in". He did not circumvent any system or other contrivance designed to secure sensitive information. Those systems and contrivances simply did not exist. The worst that can be said of what he did was that he was irresponsible in sending the clearly sensitive information to someone else. The right thing to do, of course, would have been to contact AT&T. Had he done that, there wouldn't even be a case for restitution, unless maybe it was to compensate the defendant for doing the work that AT&T failed to do.

  7. Re:Well yes but, by Wattos · · Score: 2

    If you find my key under a rock in my backyard, it is still theft if you break into my house with it and steal things.

    The analogy is not really applicable. This is more like writing all your secrets into a notebook and putting it into a library (in a section accessible to everyone). Then you sue the person who found the notebook.

    Leaving the data open to any web request is the true crime here. I do not know about the US, but in Europe that would have been a violation against the Data Protection Act.

  8. Re:Don't understand computers? by Looker_Device · · Score: 5, Insightful

    The right thing to do, of course, would have been to contact AT&T. Had he done that, AT&T would have threatened him to keep quiet and then never fixed the flaw

    FTFY

    --
    Your political party doesn't care about your rights and only represents corporate interests.
  9. ... and if Google had done this... by tekrat · · Score: 4, Insightful

    They would only be fined 1 days worth of profits...
    Corporations are people too? Bullshit. Corporations are treated better than people, under the law. I seriously suggest that every individual incorporate themselves and, when accused of any wrongdoing, claim it was via the corporation, and suggest that the law take it up with the board of directors.

    --
    If telephones are outlawed, then only outlaws will have telephones.
  10. Re:they don't understand law, either by BitZtream · · Score: 2

    And you don't understand how rational people work.

    A naked woman standing in the street doesn't mean you suddenly have the right to sexually assault her, or does that sound like its okay in your mind as well?

    And lets be clear. Data doesn't give a fuck, so stop that bullshit.

    And to be more clear: He took distinct actions to access data. Applying reverse engineering and some packet sniffing he SEARCHED FOR AND FOUND the data in question. It wasn't linked from any normally accessible location or anything else.

    His only possible logic for 'not knowing' is if he was so stupid that he didn't understand what he was doing, but being that he got past turning the computer on, we know thats not the case. He intentionally sought out, downloaded, and distributed the data to someone else.

    If you can't understand why thats wrong, I really feel sorry for you. I hope you get taken advantage of in the same way so you can get the point.

    You can argue that the punishment was retarded, which it was, he wasn't actually malicious, but he DID commit several crimes.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  11. No focus on AT&T liability? by sl4shd0rk · · Score: 2

    The same type of reckless design that went into AT&T's website for registration is symptomatic of the direction the industry has been heading. It represents that YOUR PRIVACY in the hands of a monopoly is not worth two-shits to them. Even if it was "only an email address" it could have easily been your SSN# on a CD, or medical record on an unencrypted laptop, voting record or ballot on a voting machine, whatever. Weev sounds like a jackass, but I would have expected better security from AT&T. If you're going to take the place to be a reactionary "victim" then maybe you should ask yourself who victimized you first -- AT&T perhaps? If AT&T left your car unlocked, would you still blame the thief?

    --
    Join the Slashcott! Feb 10 thru Feb 17!
  12. Show me. by westlake · · Score: 2

    We have convicted rapists and murderers that seem to get off with lighter sentences than people that do anything that involves a computer these days, even if the results don't hurt anyone and only embarrass a company or some govt. personnel.

    Show me the numbers and then we can talk.

    Real stats for the rapist and murderer. Real stats for the geek whose computer-related crimes earned him hard time.

    In the American federal system, crimes of violence are almost always prosecuted under state law.

    Execution List 2012 Each state on this list, for example, has executed between 1200 and 1300 death row inmates since 1976.

    Federal Executions 1927-2003: 23.

    The DOJ's Computer Crime & Intellectual Property Section archives its press releases of charges and convictions dating back to 2000. It's a useful corrective to the notion that the geek's crimes are victimless. That he hasn't hurt anyone.

    CCIPS Press releases

  13. Death Penalty by Tenebrousedge · · Score: 3, Interesting

    Indulge me in a little hyperbole: for a friend of mine, hacking AT&T was a death sentence.

    Lance Moore was involved with LulzSec, foolishly no doubt. As an AT&T technician of some sort, he acquired and subsequently distributed some internal corporate documents. The Justice department is liable to be a more accurate source of the specific complaints. He was caught. The FBI seized its opportunity to bring the hammer down. I've seen various figures given for the amount of jail time he was facing; somewhere between five and thirty. He was found dead by his own hand on February 24 of last year. His crime has by now likely been forgotten by all that were involved with it.

    Sixteen other people were arrested the same day that he was arrested. I don't know their stories. The reader may judge whether justice was served.

    --
    Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.