Security Researchers Submit Brief For Andrew "Weev" Auernheimer

USSJoin writes "Andrew Auernheimer (or Weev, as he's often better known) is serving a 41-month sentence under the Computer Fraud and Abuse Act. The case is currently on appeal to the Third Circuit Court of Appeals; his lawyer filed the appellate brief last week. Now, a group of 13 security researchers, led by Meredith Patterson, and including include Peiter "Mudge" Zatko, Space Rogue, Jericho, Shane MacDougall, and Dan Kaminsky, are making their own thoughts heard by the court. They are submitting a brief to the Third Circuit Court of Appeals that argues that not only is Weev's conviction bad law, but if upheld, it will destroy independent security research, and perhaps the rest of consumer safety research as well."

What Weev did

[wonkey_monkey]

It may have been pertinent to briefly explain what he actually did in the summary - he was the guy who got hold of 114,000 AT&T customer email addresses. Beyond that I don't know much, except that there is some argument over whether what he did was any kind of "hack" - he may have just navigated some exposed folders. Either way, you still probably get less than 41 months for kicking a puppy to death.

Re:What Weev did

Thank you for the explanation of what he did but you're forgetting one important thing. Kicking a puppy to death doesn't affect profits of Corporate America so theres no reason why the penalty would be as severe.

Re:What Weev did

Weev has probably kicked a few puppies to death in his time in the acid-fueled mistaken impression that they were Jewish bankers.

Re:What Weev did

114,000 AT&T customer email addresses is nothing. Just imagine how many the NSA has. Should their punishment be in logarithmic, direct, or exponential proportion to Weev's?

Re:What Weev did

[Trepidity]

He was also convicted of conspiracy to distribute those addresses for criminal purposes based on the fact that he... sold them to Russian fraudsters? No: disclosed them to a journalist. I guess the criminal purpose was embarrassing AT&T?

Re:What Weev did

The law is not supposed to punish the government for doing things we've authorized them to do.

Re:What Weev did

[MickyTheIdiot]

Look at this very thread.

It's fairly obvious where our values are placed in this country.

Re:What Weev did

[interkin3tic]

He also broke a gag order. A gag order which sounds like it was intended to bully and bankrupt him into submission.

Just throwing this out there for someone with more legal insight than me: how is it that gag orders are justified when there's not a fear that one of the witnesses is going to get shot by the mob?

Re:What Weev did

[ebno-10db]

The law is not supposed to punish the government for doing things we've authorized them to do.

"We"? I know I didn't authorize them to do it. Even if I, or anyone else including the president had, it still doesn't repeal the 4th Amendment.

Re:What Weev did

[Curunir_wolf]

The law is not supposed to punish the government for doing things we've authorized them to do.

I think the jury is still out over whether "we've" authorized them to do what they did or not. The secret court made a secret decision that expanded the original authorization to one that a lot more expansive. I think there is a good argument to be made that they went beyond their authorization.

Be that as it may, the insiders are never held accountable like the rest of us are. Do you think James Clapper will get the same punishment as Martha Stewart?

Re:What Weev did

[reimero]

The appeal brief (linked above) is worth a read. There's a lot of legal-ese in there (obviously), but it raises some very serious questions (not the least of which is double jeopardy.) There's also the legitimate question of what constitutes "unauthorized" access. From what I can tell, AT&T used those individualized headers as an authentication/authorization scheme, and relied on security through obscurity. Auernheimer changed the headers and gained access to accounts that were not his. There was no other authentication "challenge", no effort made on AT&T's part to verify the authenticity of the header, and no encryption.

Auernheimer is certainly a shmuck, but in this specific instance, I don't think he broke the law, and if he did, it was at worst a misdemeanor. I really think this is AT&T pushing for aggressive prosecution to cover their own tails: that security scheme was so weak that they'd likely have been subject to a lawsuit of their own had they not gone after Auernheimer aggressively.

Re:What Weev did

[Ash-Fox]

Note: I am not the original poster and I am not from or even live in the U.S.

it still doesn't repeal the 4th Amendment.

I don't view what the NSA is a violation of the 4th amendment (was it ever fully confirmed the gathering of data was warrantless, or was it entirely through FBI's warrants?) .

The method of duplicating data they used does not look anything close to a search and seizure to me. Nor do I see persons being deprived of houses, papers, and effects in this intelligence gathering.

I feel that trying to use the 4th amendment to stop this is somewhat weak, the amendment seems more constructed in a form to prevent people from being hassled/harassed and deprived of personal effects. Then there are words like "unreasonable" used, so even if this is considered to be infringing the 'search and seizure' contexts, I am uncertain that this can be considered unreasonable considering the context of what this amendment appears to have been written in.

Now, of course, there are going to be rulings that disagree and agree with me, but my point here is that I feel the 4th amendment argument is actually quite weak in this scenario and feels more like you're trying to use something unrelated to get your way. I should also point out that there have been since a bunch of law changes that give approval to such actions - I don't know if that would make it considered 'reasonable' since it's been approved at various levels of government institutions which are ran by the people.

It would be great to see better arguments than "it still doesn't repeal the 4th Amendment." with no decent explanation as to how the 4th amendment is really involved.

Re:What Weev did

[Jane+Q.+Public]

"There's also the legitimate question of what constitutes "unauthorized" access."

Their first point is the one I feel is most pertinent and carries the most weight: the fact that calling a breach of Terms of Service a "crime" would effectively allow private corporations to write their own laws... something that is very clearly outside not just our Constitution, but our entire historic system of justice, from long before the Constitution was even conceived .

Re:What Weev did

[fazey]

They've effectively used the patriot act to circumvent the 4th amendment. The 4th amendment has nothing to do with putting you out of home, or taking your copies of the data... it has to do with guarding against unreasonable search and seizure. In this case copying all of my emails is unreasonable search.
Why should they be able to tell what kind of porn I subscribe to?
Why should they get to see a copy of my significant other naked?
The answer is, they shouldn't. But they were given the ability to circumvent the constitution in the name of "national security". Terrorists are just the new Commies. That's the problem.

Re:What Weev did

[mi]

the 4th amendment argument is actually quite weak in this scenario and feels more like you're trying to use something unrelated to get your way

Well, if the 1st Amendment was used to establish a right to sell pornography, then the 4th may as well be used against the government browsing through our electronic records in addition to any tangible personal effects... (And the 2nd, BTW, should allow us to keep and bear any arms, which we can, ahem, "keep and bear" — including the "assault" variety.)

Re:What Weev did

[steelfood]

Which shouldn't be embarassed or threatened because they're extremely helpful to the NSA and FBI in their endeavours.

That's the problem with allowing corporations to cooperate with the government. It ultimately descends into corporatist facism where one is helping to cover the other's ass and vice versa. In the end, it's the people who lose.

Re:What Weev did

[davydagger]

in other news, a bunch of teenagers who raped another teenager, bragged about it in a video, and put it on the internet get two years(24 months) in juevinile hall)

http://abcnews.go.com/US/steubenville-football-players-guilty-ohio-rape-trial/story?id=18748493

good job America, way to let the world know you have your priorities right.

Re:What Weev did

[Darinbob]

Just because you can get to something without hacking or lockpicking or decryption does not mean it was legal. If I leave my front door unlocked by mistake then it does not mean that anyone can legally come inside and look around. So that part of unauthorized access was illegal, although minor. It's the other stuff he's being charged with that is more pertinent.

Prosecutors love to pile on stuff to earn more points, and that's what seems to be going on here.

Re:What Weev did

That is almost twice what Michael Vick served for being involved with running a dog fighting operation.

Re:What Weev did

[phantomfive]

Either way, you still probably get less than 41 months for kicking a puppy to death.

FWIW in California you can get 36 months for kicking a puppy to death, unless it's your third strike, then you can get 25 years.

Re:What Weev did

[Xtifr]

Posting something on the public internet, as AT&T did, is not equivalent to keeping it in your living room, so your analogy fails. Badly. It's more like putting things out on the sidewalk in front of your house, and then getting upset because someone came along and looked at the sidewalk, instead of following your instructions to keep their eyes closed until they reached the exact GPS coordinates you sent them.

Well

At the light of recent events, we are sure the STASI also owns some favors to AT&T....

LOL

So independent researchers talk about their work in ways such as:

Auernheimer: this could be like, a future massive phishing operation serious like this is valuable data we have a list a potential complete list of AT&T iphone subscriber emails

Auernheimer: well i will say this it would be against the law for ME to short the att stock but if you want to do it go nuts

Auernheimer: lets not like do anything else we fucking win and i get to like spin us as a legitimate security organization

Yeah, he surely was working to only help those customers...

Re:LOL

[sideslash]

If you read those comments in a hostile light, then sure, then it looks like he's up to no good. But just from those snippets, it's ambiguous. As far as the phishing thing, how the heck do you think a security researcher would describe the importance of a vulnerability discovery? It appears that Weev had no intent to use the data maliciously, he just exposed AT&T's wrongdoing to the world. Do you have any evidence otherwise?

Re:LOL

[thoriumbr]

No, Weev is not an independent security researcher, he is a troll. BUT he used the same tools the researchers uses. It's like passing a law outlawing the use of lockpicks. Surely all thieves would be affected, but it would affect locksmiths too.
If Weev loses the appeal, the traffic on full-disclosure mailing list will drop a lot. If I discover a bug on Paypal website that allows anyone to access a third party's account, and I inform Paypal, I would be guilty.
Even Weev being a troll and thinking on making profits over the AT&T mistake, the problem is shifting the blame for exposing the innocent victims from AT&T to Weev. The way this is going, looks like AT&T did everything right, responsible, blameless, and a evil hacker with super-human powers hacked their NSA-grade secured servers and stole the data, when what really happened was that AT&T didn't even bothered to protect the data in any way.

Re:LOL

[jklovanc]

If Weev loses the appeal, the traffic on full-disclosure mailing list will drop a lot. If I discover a bug on Paypal website that allows anyone to access a third party's account, and I inform Paypal, I would be guilty.

If I discover a bug on Paypal website that allows anyone to access a third party's account, succeeded over 114,000 times over a number of days, made the information public, and I inform Paypal,

FTFY. The issue is not what he did but how many times he did it. The judge in the case even said that he would not have been convicted if he had stopped at a few hundred examples to prove the vulnerability. The volume of what he did crossed the line between white hat and black hat hacking.

Re:LOL

[stenvar]

Downloading so many addresses may well have been necessary to demonstrate the seriousness of the problem. He could have gotten a list of a few hundred examples simply by doing Google searches and crawls; it would have been meaningless.

Re:LOL

[jklovanc]

Untrue. All he had to do was show the URLs he used to get each address and how the URLs could be changed to get more data. The company would have been able to hit those URLs and confirm that is where the data came from. That would have made it clear that there was a big issue.

He may have been able to get the email addresses from somewhere else but the evidence of the URLs is overwhelming.

Re:LOL

[martyros]

And as the brief actually points out, a person's beliefs about whether what he did was illegal or not are completely irrelevant to whether or not a crime was actually committed. If what you did was illegal, you are punished even if you believe it to be legal; but the converse holds true as well -- if what you did was legal, you should not be punished, even if you believed that it was illegal.

Re:LOL

[stenvar]

You don't seriously believe most journalists are capable of doing that sort of thing?

Re:LOL

[jklovanc]

Weev didn't even report the vulnerability to the company before going to the press. Weev also knows of many tech savvy journalists to report it His motivation was to do the most damage possible and get his name in the news. Fixing the issue was not even on his radar.

Re:LOL

[stenvar]

I don't think he had any obligation to notify them. Computer crime should require circumvention of at least some access control. If a company puts private data on the Internet without access control, the company should be fully liable for all consequences of their actions.

Re:LOL

[jklovanc]

The URL contained the identifier for the phone. Weev fraudulently identified himself as the owner of a phone that was not actually his. He continued to extract information he knew he should not have and then published it. He did not have an obligation to notify the company but he did have an obligation to not send out copies of confidential information that he knew he shouldn't have in the first place. A white hat would notify the company. A black hat would publish the information. Weev did the latter and is therefore a black hat.

Re:LOL

[stenvar]

A necessary condition for a computer crime should be the evasion of some access control. Identifiers are not an access control measure. The principle you espouse, namely that people have an obligation to keep confidential information of third parties confidential, is a bad one. If we adopted that, everybody constantly would have to second guess whether some piece of information might be confidential or not.

A white hat would notify the company. A black hat would publish the information. Weev did the latter and is therefore a black hat.

And in doing so, white hats are aiding the continued privacy abuses of AT&T. As I was saying: in the absence of effective legal remedies, it's only embarrassing disclosures and scandals that might cause companies like AT&T to change their ways. Your white hats are about as moral as Saruman.

Re:LOL

[jklovanc]

If we adopted that, everybody constantly would have to second guess whether some piece of information might be confidential or not.

The crux of the matter is the fact that Weev knew the information was confidential but published it anyway. It is not a grey area whether or not the information was confidential. There is a big difference between finding something on a sidewalk and brute forcing millions of ID possibilities at a server. Weev knew what he was doing was illegal and is not trying to hide behind legitimate security researchers. He could have done it the right way but he decided he wanted the publicity and did it the wrong way.

Re:LOL

[stenvar]

The crux of the matter is the fact that Weev knew the information was confidential but published it anyway.

What he "knew" shouldn't be relevant. What should be relevant is whether he had a contractual obligation to keep the data private or confidential.

There is a big difference between finding something on a sidewalk and brute forcing millions of ID possibilities at a server

There won't be when people like you are done.

and is not trying to hide behind legitimate security researchers. He could have done it the right way but he decided he wanted the publicity and did it the wrong way.

That kind of reasoning, too, ends up with licensing requirements and restrictions on professions that should have none of that.

Weev seems to have been a jerk, but he isn't the problem; people like you are: people who are trying to protect the people who are responsible for exposing this kind of data in the first place.

Re:LOL

[CountBrass]

Sorry but your wrong.

For some, but by no means all, laws intent to break it is an important factor.

Re:LOL

What he "knew" shouldn't be relevant. What should be relevant is whether he had a contractual obligation to keep the data private or confidential.

Publishing private information without person's consent is illegal whether you had such contract or not.

That kind of reasoning, too, ends up with licensing requirements and restrictions on professions that should have none of that.

Even judge noted how the case would turn out differently if the scale of his "security research" indeed looked like researching and not like trying to download whole database for unknown purposes.

Weev seems to have been a jerk, but he isn't the problem; people like you are: people who are trying to protect the people who are responsible for exposing this kind of data in the first place.

Please do provide a relevant quote where GP tries to protect AT&T.

Re:LOL

[jklovanc]

What he "knew" shouldn't be relevant. What should be relevant is whether he had a contractual obligation to keep the data private or confidential.

Weev had a legal obligation to keep the data provate of confidential. If Weev is a security researcher as he claims then he would know the laws surrounding computer intrusion and confidential information. He knew that obtaining, copying and publishing the information was illegal. He can't even try to hide behind "ignorance of the law". What is knew is very relevant. He knew the law, he knew what he was doing was against the law and he did it anyway. In legal terms it falls under intent. Weev indented to break the law and should have to deal with the legal consequences.

There won't be when people like you are done.

Legitimate researchers collect a sample just large enough to prove an issue. What Weev did was collect 1000 times the necessary sample and therefore went way over the line. If you can not see the difference then you have a big problem.

That kind of reasoning, too, ends up with licensing requirements and restrictions on professions that should have none of that.

I would consider the restrictions of not downloading 1000 time the data needed to prove an issue and not sending massive amounts of confidential information to news agencies as very reasonable; and it is the law so no licensing is required. Most legitimate security researches give the company a chance to fix an issue before going public. Weev didn't even do that.

Weev seems to have been a jerk, but he isn't the problem; people like you are: people who are trying to protect the people who are responsible for exposing this kind of data in the first place.

Is there anywhere I have said that AT&T should not be held accountable for the breach? I think there should be class action suit by all the people whose data was breached. That does not mean that what Weev did was OK? No. As the old saying goes "Two wrongs do not make a right".

Weev is a glory hound who broke the law. It is people like you who try to protect black hat hackers that sully the name of true white hat hackers. Weev was not trying to be helpful; He was just trying to get his name in the press.

Re:LOL

[stenvar]

It is people like you who try to protect black hat hackers that sully the name of true white hat hackers.

One can't "sully" the names of either black hat or white hat hackers; you both are apparently either too dumb or too unimaginative to do anything more interesting with computers than look for the PHP coding mistakes of retrained barristas.

I simply want clear, unambiguous lines for what constitutes criminal behavior, and that line should be drawn at the circumvention of access protections. Accessing a public URL without a password should never be illegal, under any circumstances, not to protect "black hats" but to protect folks who, unlike you, actually do interesting things with computers from arbitrary legal prosecution.

Re:LOL

[jklovanc]

you both are apparently either too dumb or too unimaginative to do anything more interesting with computers than look for the PHP coding mistakes of retrained barristas.

You just lost the argument when you resorted to an ad hominem attack. You have shown that your argument is weak and switched to attacking the person.

I simply want clear, unambiguous lines for what constitutes criminal behavior, and that line should be drawn at the circumvention of access protections.

Is entering a building through a door that someone forgot to lock, photocopying a bunch of confidential information and publishing it legal? No. The fact that the URL was not password protected is beside the point. Weev knew that obtaining the data the way he did was illegal.

Accessing a public URL without a password should never be illegal, under any circumstances

I agree to a point. Slamming a server with millions of requests over a number of days, collecting 114,000 email addresses and publishing them should be illegal. It seems that you want to world to be black and white. Sorry but it isn't that simple. Somewhere between inadvertently accessing a URL and trying millions of time is the line between legal and illegal. It is up to the courts to decide where that line is and in this case they decided that Weev's actions were illegal side of that line.

Re:LOL

[stenvar]

You just lost the argument when you resorted to an ad hominem attack. You have shown that your argument is weak and switched to attacking the person.

You said that it is important not to "sully" the name of white hat hackers because they supposedly fulfill some important function and accused me of trying to defend "black hat" hackers. I'm saying that I really have no preference between black hat and white hat hackers: I think they're both ineffective at improving security, have dubious motives, and have no reputation that could be sullied. If Weev getting off free would be bad for white hat hackers, it simply doesn't matter.

Is entering a building through a door that someone forgot to lock, photocopying a bunch of confidential information and publishing it legal? No. The fact that the URL was not password protected is beside the point. Weev knew that obtaining the data the way he did was illegal.

Physical trespass is defined in terms of crossing a well-defined (usually marked) physical boundary. You are trying to define electronic trespass in terms of what people "know" instead of well-defined boundaries.

And I don't see why Weev should have known that; I and many others have "slammed" servers with hundreds of thousands of requests using sequentially generated numbers, and that has been legal. Harvesting of E-mail addresses from web pages is common and legal as well.

It seems that you want to world to be black and white.

No, I merely want laws that are reasonably well-defined, as opposed to laws that are so vague that almost everybody is a criminal and enforcement becomes arbitrary.

Re:LOL

[jklovanc]

I think they're both ineffective at improving security, have dubious motives, and have no reputation that could be sullied.

It seems that many companies disagree with you on this point. companies like Google pay bounties on zero day hacks reported to them. The only way these bounties can be received is to attempt to hack the software. You may see no difference between white hat and black hat hackers but I and many others do.

Physical trespass is defined in terms of crossing a well-defined (usually marked) physical boundary. You are trying to define electronic trespass in terms of what people "know" instead of well-defined boundaries.

The boundary you are looking for is the port that services the URL request. Just because it is not a physical boundary does not mean that the same principle does not apply. What people "know" goes towards what in legal terms is mens rea. Weev knew what he was doing was illegal and did it anyway.

And I don't see why Weev should have known that;

If he was a legitimate security researcher one would think he would at least read up on the laws surrounding unauthorized computer access and identity fraud. There is also a well known legal axiom that " ignorance of the law is not a defense".

I and many others have "slammed" servers with hundreds of thousands of requests using sequentially generated numbers, and that has been legal. Harvesting of E-mail addresses from web pages is common and legal as well.

Did those server you slammed belong to someone else? Did you have authorization to slam those computers? If the answers are no the count you lucky stars that you have not been prosecuted. Care to cite anything that states attempting slamming a server with " hundreds of thousands of requests using sequentially generated numbers" is legal? It could very well be seen as an attempt circumvent security.

No, I merely want laws that are reasonably well-defined, as opposed to laws that are so vague that almost everybody is a criminal and enforcement becomes arbitrary.

The phrase "reasonably well defined" is a subjective term; it means different things to different people. To me "reasonably well defined" means prosecuting someone who served up several million requests to gain access to 114,000 pieces of confidential information. What does it mean to you? If you can not define what it means to you the you have a weak argument.

Enforcement of all laws is arbitrary. Do you think someone who breaks into a house to find medical supplies to treat an accident victim should be prosecuted for burglary? By the law they did break in and remove items without authorization. Where the judgement comes in is intent and mens rea. Weev intended to break the law for publicity. He got the publicity he wanted and a prison sentence he deserved.

Re:LOL

[stenvar]

It seems that many companies disagree with you on this point. companies like Google pay bounties on zero day hacks reported to them.

Selling medicine for a disease that you help spreading in the first place doesn't make you the good guys.

The boundary you are looking for is the port that services the URL request.

So you're saying anybody who accesses a URL may be prosecuted?

Did those server you slammed belong to someone else? Did you have authorization to slam those computers? If the answers are no the count you lucky stars that you have not been prosecuted. Care to cite anything that states attempting slamming a server with " hundreds of thousands of requests using sequentially generated numbers" is legal?

It was legal and nobody complained about it. But there was a legal risk.

It could very well be seen as an attempt circumvent security.

And that is why the rules you propose are wrong.

The phrase "reasonably well defined" is a subjective term; it means different things to different people. . To me "reasonably well defined" means prosecuting someone

And that's why people like you shouldn't be involved in computer security: you have bad judgment.

Re:LOL

[jklovanc]

Selling medicine for a disease that you help spreading in the first place doesn't make you the good guys.

Finding a disease that had yet to become an epidemic and pointing it out to the people who can cure it does make one a good guy. Finding a disease and infecting 114,000 people with it makes one a bad guy.

So you're saying anybody who accesses a URL may be prosecuted?

Read the law. You seem to conveniently ignore the word "unauthorized".

It was legal and nobody complained about it. But there was a legal risk.

Saying it was legal is not proof; it is an opinion. You have no proof that what you did was legal; you just didn't get caught.

And that's why people like you shouldn't be involved in computer security: you have bad judgment.

In by opinion, you have poor judgement in your opinion that a password is the only indicator of computer trespass. Opinions vary. In my opinion willfully exploiting a mistake to gain access to massive amounts of confidential data and publishing that data should be illegal. The courts have agreed.

Re:LOL

[stenvar]

Saying it was legal is not proof; it is an opinion. You have no proof that what you did was legal; you just didn't get caught.

You're absolutely right. And to remove that legal uncertainty, the laws need to change.

Finding a disease that had yet to become an epidemic and pointing it out to the people who can cure it does make one a good guy

No, it doesn't. "White hat hackers" provide economic incentives for companies to create insecure software and then have it fixed for much less money than if they had to do proper quality control in-house. And prohibitions against "black hat hackers" give them some protection against the risk that results from putting out insecure software. Either both "black hat" and "white hat" hackers should go to jail, or neither. The current situation is the worst of both worlds.

Re:LOL

[jklovanc]

Either both "black hat" and "white hat" hackers should go to jail, or neither. The current situation is the worst of both worlds.

This is your opinion. Again, you see the world as black or white which leads you to the prosecute everyone/prosecute no one extremes.There are actually three three options;
1. Prosecute Everyone.
That would lead to fewer security holes be found before being exploited by criminals.
2. Prosecute no one.
That would leave the door open for criminals to exploit vulnerabilities with no chance of conviction.
3. Prosecute obvious black hat hackers.
In my opinion this is a good compromise between the two other options. It would expose vulnerabilities while keeping consequences for criminal hacking.

Re:LOL

[stenvar]

In my opinion this is a good compromise between the two other options. It would expose vulnerabilities while keeping consequences for criminal hacking.

As I said: "white hat hackers" are one of the primary reasons we have security holes in the first place; their activities create the economic incentives for companies to release software with security holes in the first place.

This is your opinion. Again, you see the world as black or white which leads you to the prosecute everyone/prosecute no one extremes.There are actually three three options;

You just don't seem to grasp that, although "white hat hackers" helping fix security holes has a short term benefit, it is one of the primary reasons those security holes exist in the first place. Why should a company bother spend lots of money to make my software secure if it can just release it and pay a fraction of what I would pay for quality control to cheap "white hat hackers", and at the same time be shielded from public humiliation by law?

The only way to get companies to pay more attention to security is to raise the risk and the cost of releasing insecure software. Banning "black hat hacking" and allowing "white hat hacking" decreases risk and decreases costs of releasing insecure software, and that is exactly the wrong public policy.

I'm sorry if that argument is too subtle for your simplistic black-and-white world view.

Re:LOL

[jklovanc]

As I said: "white hat hackers" are one of the primary reasons we have security holes in the first place; their activities create the economic incentives for companies to release software with security holes in the first place.

I guess you have never written a large system. Things get missed. It is your assumption that white hats create an incentive. You have no evidence toward that what so ever. It is my opinion that the security holes would be there with or without white hats and that white hats help the public by finding them..

Why should a company bother spend lots of money to make my software secure if it can just release it and pay a fraction of what I would pay for quality control to cheap "white hat hackers",

If there were too many simple security holes then people would move to other more secure software. Or the negligence lawsuits by companies broken into due bad software. Or the lawsuits by customers who's data is exposed due to security breaches. Maybe you should look into the liability issues surrounding security breaches. In one instance a company gave identity theft protection to everyone whose credit card information was exposed. It cost them hundreds of thousands of dollars.

and at the same time be shielded from public humiliation by law?

They would not be shielded if the white hat hackers are not glory hounds like Weev. You continually ignore the point that there would not have been a court case if Weev had stopped at a few hundred email addresses. Perhaps the uncovering a security hole and exploiting a security hole is to subtle for you.

Re:LOL

The idea of white hat hackers-and you-that we should achieve security by having an army of pimply kids (like you?) get paid peanuts for hunting down bugs in corporate software is beyond stupid. You're part of the problem. Don't expect any more respect for yourself than black hat hackers. A pox on both of you.

Stretching the laws for corporations

[sl4shd0rk]

What Weev did was spoof his Browser headers and then send a bogus ID to AT&T's webserver. The dumbasses who wrote and reviewed the code on AT&T's backend were negligent in that they blindly trusted the user input and spit out private information as a result. If that's what the Spec said was supposed to happen, then start climbing the ladder and find out who authorized customer info to be so accessible.

In my mind, the people in charge of code review at AT&T need to be in court answering questions as to what other code they have facing the internet which could be circumvented in a similar way giving away customer info to anyone who can use a common browser plugin and simply change a form variable. This is a clear case of glaring corporate negligence being covered with the Computer Fraud and Abuse Act.

I'm not even sure what the CFAA is supposed to protect, but if it's primary use is to keep people from asking questions about how their private info is stored, and who has access to it, then get rid of it. The only people winning from legislation like that are the ones who would otherwise be sued for negligence.

Re:Stretching the laws for corporations

The only people winning from legislation like that are the ones who would otherwise be sued for negligence.

And who do you think wrote the legislation?

Whenever laws like this are written, it's the corporate interests via their lobbyists who write the laws.

Then said Congressman on that particular corporation's buddy list, then submits the law as his own work.

Being a Congressman is a pretty cushy deal - 6 figure income, other people do your work, you get your ass kissed, travel around for free and get entertained, no worries about what the little people go through and it just goes on ....

If it weren't for the fact that I'm a really shitting liar (and couldn't keep a straight face with a platform needed to be elected), I'd jump on the job in a heartbeat!

Re:Stretching the laws for corporations

[Infiniti2000]

Whoa, easy on the vitriol there, bub. Don't let bad design cloud your judgment of the actual case. It matters not how badly the AT&T folks implemented security (or not) on their system. The fact is Weev "stole" it (copied without permission) and then stupidly publicized it. What's more, he "shared it with various interested parties."

As far as I'm concerned, anyone calling their group Goatse Security needs to be punished anyway. I'm not interested in trying to explain to my 6yo what the fuck that means.

Re:Stretching the laws for corporations

[hublan]

Whoa, easy on the vitriol there, bub. Don't let bad design cloud your judgment of the actual case. It matters not how badly the AT&T folks implemented security (or not) on their system. The fact is Weev "stole" it (copied without permission) and then stupidly publicized it. What's more, he "shared it with various interested parties."

If AT&T had left printouts of highly personal data in a dumpster and someone had found it right there, then I don't think you would've had a problem fingering the culprit. AT&T, right? Dumpster diving would certainly not get someone 41 months in the slammer (e.g California v Greenwood).

In other words, it was right there in the open. Hence, the blame lies squarely with AT&T for not properly securing their customers' private information.

As far as I'm concerned, anyone calling their group Goatse Security needs to be punished anyway. I'm not interested in trying to explain to my 6yo what the fuck that means.

Your obvious lack of parenting skills is not his responsibility.

Re:Stretching the laws for corporations

[DarkOx]

I'd say ATT published it when they made it available online via webserver with no effective authentication around it.

Re:Stretching the laws for corporations

[omnichad]

Exactly. He could have used first initials and last names and scrubbed the email address into an SHA-1 hash - enough to prove that he retrieved the list, but not enough to actually stupidly share around customer details.

Re:Stretching the laws for corporations

[tnk1]

Spoofing browser headers to overcome security restrictions, even laughably bad security restrictions, is not the same as dumpster diving. For one thing, it's already been ruled that having stuff in the trash indicates the intent to make that trash freely available to be removed, and as such, anyone can remove all or any part of such and even have it used as evidence against the original owner.

So, the comparison is not appropriate because the intent and the law are strikingly different, even if company's incompetence is similar between those instances.

That said, it is good to know just how bad online security really is. I find myself torn between the full-disclosure types who release this stuff to make sure it gets attention, and the effects that such disclosures could have if the company does not act in time to deal with them.

Full disclosure's goal is to secure the attention and cooperation of the insecure party, or failing that, to allow everyone else to know that they need to take action. The problem is, the end user either does not come to hear of these vulnerabilities, or failing that, they can't easily alter their own level of vulnerability. Additionally, even if the company is at fault for the issues, they may have dug themselves into a hole they can't quickly extract themselves from.

There is the school of thought that if the vulnerabilities have been found by the security researchers, then they have already been found, or will soon be found by black hats. For vulnerabilities that are trivial to discover and exploit, this is probably the case. I can't help wondering, however, if the black hats get most of their best material by simply watching the full-disclosure releases more closely than anyone else, and letting the white or grey hats do the hard work for them.

Re:Stretching the laws for corporations

[VortexCortex]

As far as I'm concerned, anyone calling their group Goatse Security needs to be punished anyway. I'm not interested in trying to explain to my 6yo what the fuck that means.

Disgusting. And you have no fucking problem with explaining why the &T in AT&T exists?

Fascist scum such as you are the ones who should be punished. Give your kid up for adoption before you destroy them with retarding ideas such as "censorship of nature isn't evil."
The children of the average uneducated natives world wide stand more of a chance at surviving to adulthood with their brains in tact, and they see "violence", "nudity" and even "intestines" just from living day to day and cooking food -- A skill you probably can't handle, or if so, still can't perform unless your meat's been butchered and packaged.

Does your six year old know what a penis and vagina are, and are for? The six year olds in fucking 3rd world countries do, you monster.

Re:Stretching the laws for corporations

[Hatta]

The fact is Weev "stole" it (copied without permission) and then stupidly publicized it.

The fact is Weev submitted an HTTP request and got data back. Just like every other HTTP request ever.

As far as I'm concerned, anyone calling their group Goatse Security needs to be punished anyway. I'm not interested in trying to explain to my 6yo what the fuck that means.

Apparently you're not interested in trying to explain to your 6yo what freedom of speech or proportional justice means either.

Re:Stretching the laws for corporations

[Infiniti2000]

If AT&T had left printouts of highly personal data in a dumpster and someone had found it right there, then I don't think you would've had a problem fingering the culprit. AT&T, right? Dumpster diving would certainly not get someone 41 months in the slammer (e.g California v Greenwood).

In other words, it was right there in the open. Hence, the blame lies squarely with AT&T for not properly securing their customers' private information.

This is a terrible analogy, and tnk1 has covered most of it. Let me further clarify that most locations for AT&T that I've been to do not maintain their dumpsters outside their curtilage. This would negate the reference to Greenwood v CA. Additionally, I know AT&T regularly uses a shredding company, so any really important stuff (especially for government contracts) goes through that. In any case, I think the better analogy is if I place my wallet on a counter and walk away from it. I say that it's still my property and you do not have the authority to go to it, open it, and take the money. You, apparently, think it's perfectly okay to take the money out of my wallet. Or, if you think taking the passwords was not "stealing" then let's say I have a password on a piece of paper in my wallet, it's okay to open up the wallet, copy it, and put it back. Let's take this one step further, though, which is closer to what happened. Let's say you're skilled enough to pick my pocket (e.g., skilled enough to spoof addresses). You pick my pocket, copy off the passwords, and then drop the wallet or somehow give it back (reverse pick pocket?). That's okay to you?

Your obvious lack of parenting skills is not his responsibility.

This is almost a non sequitur. I don't care to explain the origin of goatse to a 6yo and I have an obvious lack of parenting skills? Honestly, I would have thought the opposite! Do you really agree with the idiotic response by VortexCortex? You must like goatse, then?

Re:Stretching the laws for corporations

[Infiniti2000]

Apparently you're not interested in trying to explain to your 6yo what freedom of speech or proportional justice means either.

That's a stupid response. Do you honestly think the origin of the goatse name is appropriate for 6 year olds? What the fuck does freedom of speech have to do with this? Or, did you seriously fucking think I really mean for him (Weev) to be punished solely on the name of the company? Can't you understand sarcasm? The fact is that Goatse Security is a really stupid name and I hope the company never gets any customers. But, no, he shouldn't do jail time for it.

Re:Stretching the laws for corporations

[Hatta]

Or, did you seriously fucking think I really mean for him (Weev) to be punished solely on the name of the company?

Why would I not believe that, based on what you said? People believe far stupider things. Many of them are even federal prosecutors.

LOL. Okay, and.....?

[SomePoorSchmuck]

"...not only is Weev's conviction bad law, if upheld, it will destroy independent security research, and perhaps the rest of consumer safety research as well."

Yeah, I'm pretty sure that's the point. What in the world makes them think the government and the mega corps that they've merged with wouldn't want to "destroy independent security research" and "consumer safety research"? You think those federal-corporate cockroaches want you shining a light on their clandestine behind-the-fridge data gorging?

pertinent

[SayFullHernandez]

may have been pertinent to briefly explain what he actually did in the summary

Similar to the Swartz case in one respect

Auernheimer didn't just violate the law, he intentionally did it on such a scale as to bring attention to himself. He was saying to the authorities as well as those on his side, look, you can't ignore what I just did. So they didn't.

What this really is

[Zontar_Thing_From_Ve]

In reality this is a just a case of the following:
Researcher finds that Joe Blow has gone out of town and left the door to his house unlocked and open. Researcher publishes this information in a blog along with the address to the house. House gets robbed. Police hold Researcher responsible. Researcher insists it's not his fault that the house got robbed.

Yes it really is that simple.

Re:What this really is

In reality this is a just a case of the following:

Researcher finds that Joe Blow has gone out of town and left the door to his house unlocked and open. Researcher publishes this information in a blog along with the address to the house. House gets robbed. Police hold Researcher responsible. Researcher insists it's not his fault that the house got robbed.

Yes it really is that simple.

Actually a better analogy would include "Researcher steals everything from house as a 'proof of concept' that unlocked houses can be robbed". There was no need to download over 100,000 users' data and send copies of it to the media to prove that it could be done.

Re:What this really is

[Culture20]

Did he delete the data on AT&T servers? Refine the analogy so the researcher is using a digital camera.

Re:What this really is

[abiggerhammer]

By this logic, the developers of pleaserobme.com, which (before they decided they'd made their point and went to an informational site) mashed up Foursquare and Twitter data to determine when people had themselves voluntarily disclosed that they were out of their homes, should also be in prison. In other words, your analogy, along with AC's in reply to you, commit the logical fallacy of proving too much.

Re:What this really is

[sideslash]

"Stealing" is a poor choice of words to refer to copying information. When you steal from a house, then the owners of the house don't have those possessions anymore. So no, it really is not as simple as your analogy.

Re:What this really is

[JaredOfEuropa]

Event better: "Researcher copies and publishes every document in the house as proof that the door was unlocked". Nothing was removed. I'd say that downloading the data and sharing it in some way with the press was necessary to demonstrate the weakness of AT&T's system, with the caveat that the press should use the data only to verify the claims, not publish them to the general public. His subsequent handling of the affair does merit some punishment though.

What was he actually being punished for; the hack, or the publication of private data?

Re:What this really is

[Trepidity]

No, it isn't really related to that at all. Public-facing web servers, unlike houses, are not by default considered private. The public is expected to and routinely does enter. They are private property, but private property regularly offered to public use. If you require a physical space analogy, sort of like a plaza owned by a corporation, in front of its HQ, which has no fences around it and is regularly accessed by the public.

Re:What this really is

What would be a better word then? He copied information that was not his to copy, accessed by a means not known to the common person.

The laws, as written, are ill-suited to deal with situations of this kind, but they're the only ones we've got at the moment.

Is 41 months too harsh? Probably. And it's a straight up punishment, not a deterrent to other people doing "independent security research".

Re:What this really is

[sideslash]

Why don't you just say he copied the information, my vocab-challenged AC?

Re:What this really is

[interkin3tic]

I don't think in your example that the researcher should be sent to jail. Maybe the homeowners could sue him in a civil suit, but the federal government shouldn't be sending him away for noting that someone left the door unlocked and open.

Re:What this really is

Researcher finds that Joe Blow has gone out of town and left the door to his house unlocked and open. Researcher publishes this information in a blog along with the address to the house. House gets robbed. Police hold Researcher responsible. Researcher insists it's not his fault that the house got robbed.

I do not know the details of what he "the Researcher" did, but it was definitely the case that Joe Blow/AT&T kept other people's stuff in his house. Having signed a contract to keep that stuff safe. So, even assuming your analogy holds, why is Mr Joe Blow not being punished in addition to whatever happens to the Researcher?

Re:What this really is

[tnk1]

The home invasion scenario only goes so far. In a trespass situation, your presence in the house is enough to get you convicted, but you may well be able to get away with copies of documents and not face charges. I would believe, however, that such an action would aggravate your trespass, or at best, could be used against you in court as evidence that you were, in fact, in the house.

However, in the case of *consumer data*, there are specific laws about that data while they happen to be in computer systems. Chances are that data you could duplicate without legal ramifications from a home, you could still not duplicate from a computer system. Indeed, you might well come under the same headings as the company that is supposed to have protected your data to begin with.

Theoretically, he should be busted for the act of obtaining access to a computer system, although realistically, no one will bother to charge him if he simply gained access and did nothing. These are at least "semi-public access" systems and he needs to have demonstrated some intent to trespass, and with a computer, simply having your access attempt logged, with no follow up action, is unlikely to be very persuasive in front of a jury. If he admitted to it freely, they might get a conviction, but some web vulnerabilities are so easy to exploit that some people exploit them and don't even realize what they've done.

Re:What this really is

[jedidiah]

> What would be a better word then? He copied information that was not his to copy, accessed by a means not known to the common person.

What he did was actually much simpler than picking a lock.

Attempting to use the "average idiot" standard isn't terribly compelling because that's a moving target. Your claim about the difficulty of this task likely does not hold true across generations.

This "l33t hack" probably a non-Herculean task for many young people just as it seems pretty trivial to any computing professional or hobbyist.

Re:What this really is

That's an absolutely terrible analogy. A company is not like a home and the security expectations of a company like AT&T are not like those in a home. AT&T is more like a bank than a home - a bank that stores important things that cannot be replaced. The situation is more like discovering that all the walls in your bank are holograms, including the walls to the vault. So anyone can just walk right through and take everyone's prized possessions stored in the vault. If you tell people that this bank has terrible security for this reason, you are at the same time letting bad people know that robbing the bank would be quite easy. In this situation I'd blame the bank for putting up holograms as a security measure. I would not blame the person who let the customers know that their bank has terrible security. So no, it really is not as simple as your analogy.

Re:What this really is

[Patman64]

Yeah, it's more like an office building and every single door inside are unlocked and there's no security to be found, someone tells the world, and people go in and photograph all the documents. And then the building manager gets mad at the guy who told everyone.

Re:What this really is

[mi]

Well, if NSA going through your electronic mails — without even touching anything tangible in your house — is a violation of the 4th Amendment, then the distinction you are trying to make regarding copying electronic data is without (much) difference...

Re:What this really is

Door-to-house analogies don't work well, for data that is on public-facing servers w/out authentication.

If we're going to make up analogies, then why not this: the owner of a house consciously and deliberately moved all the house's contents onto the sidewalk. The analogy of the id-in-the-header is that the person who decided to move things to the sidewalk, was under the mistaken impression that the sidewalk was poorly lit and no one would be able to see the items sitting there.

It sucks that someone came by helped himself to everything on the sidewalk. People who do that are assholes, and we ought to look for ways to hurt them. But deciding to hurt them by fraudulently charging them with B&E does not serve our interests, because it just undermines the seriousness of B&E convictions, and we want B&E to remain a real crime. Also, B&E sentencing is likely to be far heavier than the type of harm that we'd normally choose to inflict upon people abuse sidewalks, so not only does it work against our selfish interests, but it works against justice too.

Re:What this really is

[jkflying]

I think a good analogy would be a post office making all its PO boxes open when you knock on them. He opened his box and noticed that they were horribly designed, so then he knocked on all of them and took picture of the contents, which he sent to a local journalist as proof of the poor design that he had discovered.

Sure, what he did was overboard. But having such a poor security mechanism on their mail boxes is most certainly the fault of the post office. He should be blamed for the publicising (unless it can be shown that he first went to the post office and gave them reasonable warning), and the post office blamed for the poor design of the mail boxes.

Re:What this really is

Public-facing web servers, unlike houses, are not by default considered private.

He had to forge his ID to get access. Sure it shouldn't have been that easy, but he didn't stop there. He forged millions of IDs to download information on 114K people. That's not research. When would you stop if you were researching? 10? 20? 50? Certainly if you kept going to 114K you were doing something else. Bad faith was involved, seriously bad faith.

Re:What this really is

[b4upoo]

All of the weight of guilt falls upon the criminal. For example if you fail to lock up your bicycle and it is stolen the thief is not less guilty. And if i put it all over youtube that you never lock up your bicycle the thief still bears all of the guilt.

Re:What this really is

Did he delete the data on AT&T servers? Refine the analogy so the researcher is using a digital camera.

Of course it's not as simple as theft of physical goods (it is an analogy after all), but it's not that bad as all that considering we are talking about supposedly private information.

The 'value' lost is that of the degree of privacy about their personal details which people reasonably expected to have, not their personal details in themselves. It's straining the analogy to consider this 'value' as property, but it's not worthless either.

Re:What this really is

[Mathinker]

There was no need to download over 100,000 users' data and send copies of it to the media to prove that it could be done.

While I think it was idiotic for him to do that, I'm not totally convinced about the judge's reasoning in this regard. The wholesale downloading confirmed that AT&T didn't have any kind of other defenses which might have limited the damage --- for example, some kind of download limits per IP address. I can't find any justification for the subsequent distribution of the information verbatim to the press, however.

Re:What this really is

What he did was actually much simpler than picking a lock.

Please do not perpetrate the myth that locks are hard to pick. I taught my wife to pick locks well enough to pick about 85% of what you can buy at the average American hardware store in about 10 minutes.

Most residential doors have a large glass window right next to them, so there's really very little reason to make them all that hard to pick. Locks are there to keep honest people honest.

Re:What this really is

Researcher walked into the house, spent an entire afternoon going through every last closet, cabinet, and box and snapping high-res photos of the contents, and then uploaded them all to a blog.

FTFY

Re:What this really is

[Trepidity]

Yelling numbers in a public square is not exactly forging an ID.

I have it on good authority

that none know nor care about "Weev"; weev got our own lives to live.

AlphaFalfa

Authoritarian governments

...will be the first pwned in a cyberwar because fear will have kept their system from ever being tested.

Re:Authoritarian governments

[jklovanc]

Testing would be getting a few hundred addresses and informing the company of the issue. Weev did much more than that. He got over 114,000 email address over a number of days and sent copies to people he knew were not authorized to have that data. He crossed the line between white hat and black hat. Even the judge stated that had he stopped at a few hundred he would not have been convicted.

Sorry

[damicatz]

I'm finding trouble having sympathy for this guy.

He manipulated URLs to access areas that were not publicly visible. The information that he gleaned by manipulating these URLs was information that any reasonable person would deduce as information AT&T did not intent to make public. Rather than informing AT&T about the vulnerability, he went to Gawker and leaked the information that he gained, victimizing all of those people in the process. Just because someone leaves a door unlocked or open does not give you the right to go in and steal stuff and this is no different. Mens rea is *everything* here; if he had just gone to AT&T or acted responsibly in the disclosure, rather than trolling, he would most likely have never been charged.

As far as the prison sentence goes, he brought that on himself as well. It is *beyond* stupid to swear at a federal judge and call her a "mean bitch" when she is the one that is sentencing you. It is *beyond* stupid to go on a public forum and post that you intent to commit the same crimes again once you get out of prison. Do not complain when you get the book thrown at you after you try to turn the courtroom and the trial into a three-ring circus. Trolling a federal judge is never a good idea.

There is also the matter of his past history. I have not forgotten about what he did to Kathy Sierra or the other women that he made rape threats against. Or the "GNAA". His entire life has been dedicated to griefing people and generally being an asshole and yeah, the judge is going to look at that.

Re:Sorry

Was he the one who anonymously harassed Kathy Sierra (founder of javaranch.com)? I remember she said told a reporter she was frightened. This guy should be in prison for that.

Re:Sorry

[CanHasDIY]

As far as the prison sentence goes, he brought that on himself as well. It is *beyond* stupid to swear at a federal judge and call her a "mean bitch" when she is the one that is sentencing you. It is *beyond* stupid to go on a public forum and post that you intent to commit the same crimes again once you get out of prison. Do not complain when you get the book thrown at you after you try to turn the courtroom and the trial into a three-ring circus. Trolling a federal judge is never a good idea.

Yea, it's not like the people who came up with the idea for this country made it the law that every citizen has a right to bitch to and about government agents, right?

Oh, wait...

You know, it's a sad day in America when the exercise of our civil liberties is colloquially considered to be a "stupid" action...

Re:Sorry

[damicatz]

You have the right to free speech. That doesn't mean you have immunity from the consequences of your speech. If you go around telling everyone, during sentencing, that you are going to go and commit the same crime again (regardless of whether you agree it should be a crime or not), the judge is absolutely going to take that into account during sentencing because it indicates a high probability that the person will do the same thing again.

Re:Sorry

[Trepidity]

I agree trolling a federal judge is not a good idea, but that doesn't really excuse the judge inventing a sentence outside the federal sentencing guidelines based on a flimsy justification. Damages still have to be computed in a legitimate manner, and the judge is still restricted by the sentencing guidelines, even if they hate the defendant.

Re:Sorry

[thoriumbr]

Let's pretend you have a million bucks on some bank (do you have, don't you?). The bank says it will protect your money with their lives, and everything is secure. Someday you hear that one researcher (or troll, or terrorist) went to the parking next to the bank, started a sniffer, and discovered that your bank uses unencrypted WIFI networks, so he added a private IP address to its network card and could access all bank servers and read data from any account.
Who would you blame? The bank or the guy?

I still think that Weev is not a saint, but AT&T is to be blamed here. AT&T had to get a hefty fine for gross negligence, putting hundreds of thousands of customers in danger. Weev must be fined too, but serving 41 months of jail time is too much, IMHO.

Re:Sorry

[Nemyst]

Wait, you do realize your free speech right only means you have the right to say it, right? It doesn't shield you from the consequences of saying it. The guy was indeed allowed to say it, and wasn't necessarily punished for it, but in any normal society being an asshole isn't going to positively influence the people around you. You can still do it, but don't whine about the consequences.

Re:Sorry

Just because you have the right to do something doesn't mean it's the right thing to do, let alone a smart thing to do.

Re:Sorry

[adri]

Actually, re-read what the right of free speech in the united states means. Then please re-evaluate your statement.

Re:Sorry

A human element comes into play with law enforcement, as in many other areas of our lives. If you drive by a cop, roll down your window, and say, "GOOOD AFTERNOON Pole-eece ossifer!" there's a high likelihood that you'll be pulled over and busted for a minor traffic or safety violation.

Re:Sorry

[damicatz]

Both. What AT&T did was stupid and inexcusable from a security standpoint but that doesn't make exploiting it right. As I said, I would have more sympathy if he were a legitimate security researcher who tried to go through the proper channels. As it stands, he is nothing but a troll that has devoted his entire life to making other people miserable and he finally trolled one person too many.

Re:Sorry

[damicatz]

Yes.

http://www.nytimes.com/2008/08/03/magazine/03trolls-t.html?pagewanted=all&_r=0

Re:Sorry

[CanHasDIY]

You have the right to free speech. That doesn't mean you have immunity from the consequences of your speech.

When it comes to speech about the government, you're supposed to have immunity.

That's kinda the whole fucking point; they aren't really civil liberties if you can be punished by the government by exercising them.

Re:Sorry

[CanHasDIY]

A human element comes into play with law enforcement, as in many other areas of our lives. If you drive by a cop, roll down your window, and say, "GOOOD AFTERNOON Pole-eece ossifer!" there's a high likelihood that you'll be pulled over and busted for a minor traffic or safety violation.

Which is a gross violation of your civil liberties, an act that you and every bystander in earshot should actively protest to that pig's face.

We won't have any rights before long, if pussified bitches (like some of the respondents here) won't grow the balls necessary to defend them.

Re:Sorry

While I agree that the defendant's behaviour was stupid, that bit is better covered by having a large part of the sentence on probation, with a sufficiently long probation period. Sentencing should not punish the defendant for things he might do in the future (even if he said so).

Re:Sorry

[CanHasDIY]

Actually, re-read what the right of free speech in the united states means. Then please re-evaluate your statement.

Yea, this.

Contrary to modern ideology, freedom of speech has absolutely nothing to do with the right to blast everyone around you with ads and crappy music, but rather references our natural right to bitch about the government without having to fear repercussions.... like, say, being given an extended prison sentence because you mouthed off to a government agent.

Weev should sue that mean bitch for civil rights violations, maybe even get her Constitutionally-ignorant ass barred from the bench.

Re:Sorry

[damicatz]

The problem is, that simply isn't how it works and it has never worked that way.

For example, there is something called the reasonable time and place restriction. If you try to hold a protest in front of the White House at 2am in the morning, you absolutely will be forced away by the police and them doing such is perfectly constitutional. The same goes for a courtroom; you cannot act out in court. If you disagree with a judge, the appropriate process is to appeal that decision. And, furthermore, things you say can be used against you in court (Look up Miranda Warning).

Re:Sorry

[interkin3tic]

Unfortunately, now there's a precedent for sending the next whistleblower to prison, even if said next whistleblower was a saint.

I suppose that probably would have happened anyway, since somehow companies think that a scapegoat will distract from their security lapses.

Re:Sorry

[CanHasDIY]

For example, there is something called the reasonable time and place restriction.

[citation needed], as from what I see:

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

No such distinction is made; or perhaps 'shall make no law' and 'abridging' has a different meaning in the parallel universe you inhabit?

Don't even bother with any of that 'legal precedent' nonsense, either, as any 9th grader who stayed awake in Civics can tell you that the Constitution cannot be superseded by anything short of a Constitutional amendment, which case law does not qualify as (perhaps that's what's wrong with our legislators - too busy having coke & whore parties to actually pay attention in their secondary school governance classes).

The same goes for a courtroom; you cannot act out in court.

... and yet, stripping naked in a public place is considered "protected speech"...

Seems pretty convenient, that 'free speech' only seems to apply when a citizen is not in sight or earshot of a government agent, doesn't it?

Here's an idea: maybe you should go back and read over some of the other writings of the Constitution's signators, and develop for yourself a concept of why we have civil liberties to begin with. I'll give you a hint: the concept and assignment of rights has absolutely nothing to do with how citizens interact with one another.

Re:Sorry

[c]

if he had just gone to AT&T or acted responsibly in the disclosure, rather than trolling, he would most likely have never been charged.

I tend to agree with most of what you wrote, except that.

It's been shown time and time again that when it comes to reporting security issues, large corporations like AT&T have a very strong "shoot the messenger" tendency. Unless you can do it anonymously, reporting a disclosure to them is almost certain to get you charged.

Re:Sorry

[Glarimore]

He went to Gawker and leaked the information that he gained, victimizing all of those people in the process. Just because someone leaves a door unlocked or open does not give you the right to go in and steal stuff and this is no different.

A door being unlocked doesn't obligate you to inform the owner of the door, nor does is there any reason you can't tell someone else about it.

It is *beyond* stupid to swear at a federal judge and call her a "mean bitch" when she is the one that is sentencing you.

I think that, like with police officers, it is up to a judge to be the "bigger man" and realize that although it is rude, being a dick isn't something someone should get jail time for.

It is *beyond* stupid to go on a public forum and post that you intent to commit the same crimes again once you get out of prison.

It is stupid, but if the "crimes" that landed him in jail should not have lead him to be serving jail time to begin with, I think he has reason to make a big, public hub bub about it. The guy is an asshole, but I don't want any dangerous precedents being set just so he gets punished. Besides, there is nothing to gain from him being in jail.

His entire life has been dedicated to griefing people and generally being an asshole and yeah, the judge is going to look at that.

Maybe we should go ahead and throw Kanye West in jail the next time he getting a moving violation? I mean, the guy is generally an asshole.

Re:Sorry

[Glarimore]

You do realize that the whole point of "Free Speech" is that is DOES shield you from consequences of your speech that would come from the GOVERNMENT. You know, like extra jail time?!

Re:Sorry

[Charliemopps]

Ok, that link should be at the top of this discussion. After reading that I've no interest in seeing him get out of jail.

Re:Sorry

[damicatz]

Citation? No problem.

http://legal-dictionary.thefreedictionary.com/Time,+Place,+and+Manner+Restrictions

Re:Sorry

[newcastlejon]

...
Who would you blame? The bank or the guy?

Both of them. It needn't be an either-or. The guy shouldn't be messing around with the bank's systems, and the bank shouldn't make it so easy for him to do so.

Re:Sorry

[jedidiah]

> I'm finding trouble having sympathy for this guy.
>
> He manipulated URLs to access areas that were not publicly visible.

Which really only puts him at the "not suffering from downs syndrome" level of intelligence.

It's a public server. Permission is implicit in the fact that something is world readable. That is what those permissions are for.

Abusing trespass laws to prosecute people that enter public places is just Fascist nonsense.

Re:Sorry

[ameen.ross]

But, but, she was really angry!

Re:Sorry

It is *beyond* stupid to swear at a federal judge and call her a "mean bitch" when she is the one that is sentencing you.

I think that, like with police officers, it is up to a judge to be the "bigger man" and realize that although it is rude, being a dick isn't something someone should get jail time for.

Generally, I agree with you here. However, being a dick is something you can get jail time for. It's called contempt of court. She could've found him in contempt and tossed him in the lockup for a couple days if that was the case. Using it to affect sentencing instead is not awesome.

Re:Sorry

[CanHasDIY]

Citation? No problem.

http://legal-dictionary.thefreedictionary.com/Time,+Place,+and+Manner+Restrictions

While technically correct (in the bureaucratic-red-tape-nightmare sense), nothing in the link you posted indicates that is is legal or right to give a citizen a harsher sentence for expressing their right to free speech, TPM restrictions notwithstanding. Any judge giving the defendant a longer sentence solely because said defendent pissed her off (with harmless words, mind you) is an affront to the idea of justice, no matter how you try to spin it.

Also, I noticed you've decided to not respond to the rest of my comment; is this an example of agreement-by-lack-of-valid-argument, or are you still looking for sources to support an anti-liberty stance?

Re:Sorry

I'm finding trouble having sympathy for this guy.

You're not supposed to.

It is *beyond* stupid to swear at a federal judge and call her a "mean bitch" when she is the one that is sentencing you.

Of course. Nevertheless, though, surely you would prefer to live in a world where doing that isn't stupid, where people are allowed to say what they think. If someone mouths off to a judge, we think they're going to be punished for doing that, but we hope they won't be.

On to the real meat of the issue:

he went to Gawker and leaked the information that he gained, victimizing all of those people in the process.

So charge him with something for that! This guy got punished for how he obtained the information, instead of being punished for his harm he intended to wreak with the information. There are tons of ways he could have acquired the database, and posting to gawker would be equally vicious conclusion to any story. The

Re:Sorry

Ok, that link should be at the top of this discussion. After reading that I've no interest in seeing him get out of jail.

So, you're in favor of the justice system being used to disproportionately punish people you don't like.

Good to know.

Re:Sorry

[damicatz]

Amongst other things, judges base sentences on the defendants remorse, or lack thereof, as well as their prior criminal history, motivations, and how likely they are to re-offend. This is not an anti-liberty position for his speech was never restricted; no one stopped him from being an idiot on Reddit and he is not being charged with a crime or harassed for what he said. But the judge absolutely has every right to use that when determining whether he is likely to offend (I needn't remind you about the bit that says anything you say can and will be used against you in a court of law).

The rest of your argument was nullified by Marbury vs. Madison. You may wish to read up on judicial review and how it is the courts job to interpret the constitution.

Re:Sorry

[VortexCortex]

I'm finding trouble having sympathy for this guy.

He manipulated URLs to access areas that were not publicly visible. The information that he gleaned by manipulating these URLs was information that any reasonable person would deduce as information AT&T did not intent to make public.

So, you would rather live in a world where if you see a huge hole in the side of your bank's vault, leading out into an alley, you'll be thrown in jail if you tell a sole about it? Tell me, did your education include children's books such as The Emperor's New Clothes, or are you a complete fucking moron? I'd much rather be told I'm naked and have no security, and force the fuckers to fix the issue, than to wait till I'm actually exploited to find out.

Were I him, I wouldn't want sympathy from fools like you. Go back to your privatized yet tax funded statist security theater regime and watch your reality TV and eat your fried food, so you can be better farmed by your corporate overloads, even as your health fails from a rotten mind and body.

TL;DR: Fuck you.

Re:Sorry

[jklovanc]

Why do people stop at the initial act when describing what Weev did. Yes, he found a security hole. That is a laudable thing. He then repeated the attempt several hundred thousand time; succeeding over 114,000 times. He then sent the list to several insecure people and organizations. As the judge stated, had he stopped at a few hundred he would never have been convicted. He started out white hat but went far over the line into black hat when he attempted so many times and published the results.

Re:Sorry

[jklovanc]

Even if he was charged the judge said he would have benn found not guilty if he had stopped at a few hundred successes instead of 114,000 and publishing the results.

Re:Sorry

if i told a sole about it, i would expect to be thrown in a mental hospital

Re:Sorry

[oxdas]

He manipulated URLs to access areas that were not publicly visible

They were on public facing servers without any authentication. That is about as "publicly visible" as it gets. He is a stupid, unsympathetic man, but that doesn't change the facts of the case. AT&T left this information on a public server. A home is terrible analogy for a public server. It is more like AT&T left the paper copies of their customer data in a corner the public lobby of their building (that they intended to be private but had not put up any signs or walls, etc) and he saw them and took pictures, then gave the pictures to a reporter. He did not trespass to obtain this information as AT&T placed this information in a public place.

Re:Sorry

[tnk1]

Wow. Reading that article was a little bit of a shock. I always assume that the 4channers are actually fairly normal in-person, or they are like 13 year old boys. It is only the internet that lets them really go bananas.

This guy is pretty much living /b/ in real life. I'm surprised they bothered to arrest him instead of simply ordering a drone strike.

Re:Sorry

[Xtifr]

I'm finding trouble having sympathy for this guy.

I have absolutely no sympathy for the guy, yet I still think that accessing a public website should not be illegal. Which, unfortunately, is what they're trying to convict the asshole for. If being a jerkwad were a crime, there would be a whole lot more people in prison. But it is not, at least yet, actually a crime.

The question here is not, is this jerk sympathetic (he's not). The question is, should accessing a public website be considered a crime simply because the owner neglected to publicize the address? I admit that it's--maybe--not a black-and-white question, but I think it's pretty hard to argue that it should be.

AT&T wants to head off lawsuits for posting people's email addresses in public, so they obviously disagree. I'm not at all convinced they should get off scott-free for their ridiculous attempt to implement security through (mild) obscurity. Especially given how mild the obscurity was.

The issue here is not this one admittedly unpleasant defendant. The issue is the unfortunate precedent it will set if this jerk is forced to take the blame for AT&T's own stupidity.

Re:Sorry

[jklovanc]

Actually the precedent is unclear as the judge stated that had Weev stopped at a few hundred email address he would not have been convicted. In fact it may be a precedent in the other direction as the data breach was very large in this case and, with the judge's comment, small data breaches may be protected as testing.

Re:Sorry

2 wrongs don't make a right. in an ideal world though both parties learn from their mistakes. As a concerned citizen if i know a doctor leaves private patent records untended on a park bench I would talk to the doctor. If the doctor blew me off, I would go after his boss. If the boss doesn't care; I would go to the press.
My goal is to help guard the privacy of my friends and family by holding responsible parties accountable. There is a method that should be taken, if that method fails move to the next step. Since this person's actions (reporting the security lapse to the press) lean towards informing a responsible party instead of profit or theft I would have to side with the individual over the company.

A vital step of good security is understanding that there is a door left open so that it can be locked. Never looking for a door does not prevent someone nefarious from finding one and exploiting it.

-off soapbox-

Good!

Weev's conviction bad law, but if upheld, it will destroy independent security research, and perhaps the rest of consumer safety research as well.

Good. If we have safe secure products, the terrorists win!

Space Rogue?

Is a judge really going to read an amicus curiae brief from someone named "Space Rogue"?

Two words: RESPONSIBLE DISCLOSURE

[MobyDisk]

RESPONSIBLE DISCLOSURE! RESPONSIBLE DISCLOSURE! RESPONSIBLE DISCLOSURE!

We need a law that states what is legally protected responsible vulnerability disclosure. Something that says "If you do it this way you are not a criminal." Something like:

1) Notify the responsible organization.
2) Give them X days.
3) After that, you may optionally notify a responsible government agency or industry organization like CERT.
4) Give them X days.
5) After that, you may go public with the information.
etc.

Anyone in the security industry should already know to do this, but a law would make it clear.

Re:Two words: RESPONSIBLE DISCLOSURE

[idontgno]

But we already have a law that accomplishes the intents and purposes of the only ones who matter: corporations.

In their mindset, there's no such thing as responsible disclosure. Any disclosure damages them and must be prevented and, if necessary, strongly punished. That way they can continue being incompetent and insecure (and save lots of money, so more profits for everyone who matters), and anyone who tries to uncover vulnerabilities will be treated as the anti-profit criminal worm they obviously are.

The ones who pay for the laws have gotten exactly the law they want. NOTABUG Working as designed.

Re:Two words: RESPONSIBLE DISCLOSURE

It's not a bug, it's a feature!

And the sentence length is growing

Just take a look at position papers like this one (fulltext PDF) and you'll see that while the average length of a computer-related conviction sentence may be somewhere around three years, they're calling for more. And all we have is the EFF standing between us and going to jail forever.

weak argument

The posters who show examples of more serious crimes like arson, rape and bloody murder that received short sentences is an argument for increasing those sentences not shortening Mr. Auernheimer's

The brief missed a useful use case

The brief describes how a web request is like asking a librarian for a book.
    If the book is non-public she then asks for credentials and if they are ok gives you the book.
        Since the ATT's web server didn't ask for credentials, the web pages were fair game.

This misses another use case.
    It is also possible to include your credentials with the request for the book.
        A librarian would respond to this request for private data just like a request for public data.
          The included credentials could be a big, secure random number, or an obvious small number like the record number.

In some cases a web site uses a simple record number for public data so that a user can access it by providing the record number.
    In this case AT&T used a simple record number for private data which they did not want accessed.

One could argue that they 'locked' the data, but with a cheap lock.
    The thing is, one can recognize a physical lock and know to respect it.
          In this case the web server provided no indication that the data was private.
                In fact, as the brief outlines, it indicated the reverse.

From their reactions, both AT&T and the security guy knew the information contained in the data should not have been public
      The security guy did not benefit for the data, but rather published the problem so it would get fixed
            (Without this, good guys might have walked by this 'lock' but how many bad guys quietly didn't?)
      AT&T reacted to 'kill the messenger' by declaring after the fact that the data was private.

It doesn't seem good law to allow this to stand.
        1) It removes the feedback which closed the security hole.
        2) It allows the server owner to escape responsibility for a poor (perhaps dangerous) design.
        3) It makes it impossible to draw the line for 'normal' versus 'criminal' web browsing for us all.
        4) It leaves a generally harmless guy in jail for violating an after the fact business rule.

Re: The brief missed a useful use case

Your indentation is absurd.
Lrn2english, kthxbye.

Re:The brief missed a useful use case

[abiggerhammer]

How is the record number a credential? The record number refers to the item to be retrieved. Using the record number as a credential (sent with the request or not) is terrible design -- you're literally saying that the credential to retrieve the record is the same as the identifier of the record, which reduces to an unauthenticated GET request. This isn't even one-factor authentication, it's no-factor authentication.

Re:The brief missed a useful use case

[Zero__Kelvin]

That is some of the worst poetry I have ever read.

Re: The brief missed a useful use case

While his indentation is absurd, your attempt at using the language of kids these days in order to sound cool backfired. The correct term is kthxBAI. L2speel old fart!

responsible disclosure?

ehm ... why not send ~100k emails with spoofed sender address (from:pissed-off-att-customer@example.com)
to AT&T complaining about how they're giving away their email addresses thru a leaky website?
i would personally like to know how the effected email-address-owners think about this ...

there is only one law, the rest are a facade

"thou shalt not inconvenience anyone with more power than you" is the whole of the law

if you break that law then the powerful people will make you suffer

in our civilized society the powerful people don't get their hands dirty personally so they hire goons to enforce their will

the goons wear uniforms and carry badges to symbolize how they are the extensions of the will of the powerful people, if a goon is useful and vicious enough he can join the ranks of the powerful himself

once you realize how the "law" works then everything else makes sense

Re: there is only one law, the rest are a facade

From which it also follows that the relatively small number of individuals with significant apparent power only maintain that power as long as the masses of people allow them to. Get enough people together willing to change the status quo (not a mean feat) and it changes, one way or another. Most important part of running an empire is to keep the "sheeple" content enough to not realize that they have more teeth than the wolves.

It could be unauthorized access, here's the logic

[tp_xyzzy]

If we consider the url trick to be operation that normal people would not do. Further, after url trick, he got access to someone elses account details. It's pretty similar to normal hacking operations -- find gaps in the protection of the data, and once found, utilize the gaps to cause damage. He bypasses security measures by skipping the authentication mechanisms and accessing someone elses account. In this case, every AT&T customer's account details. Once he saw the unauthorized account details, he didn't stop there, but created software to fetch all the data he can find. By this operation, he upgraded himself from normal web user to a software expert, and software experts are supposed to know that unauthorized access to someone elses data is not allowed. Convicting this guy no way changes the status of normal web users as amici thinks, but changes the status of software experts. Experts now need to be more careful about how they publish data. Software experts anyway need to be very careful what data to publish. Giving account details of someone else fetched from AT&T's servers to the press is just very stupid operation for a software expert. I say this is unauthorised access of AT&T's servers, recardless of what response the server is giving. The server configuration just doesn't matter. He bypassed the authentication mechanisms to access accounts of AT&T's customers. Jump from software expert to security researcher is tricky one. As software expert he's clearly breaking publishing rules. If he cannot make the jump from software expert to security researcher, then the conviction is just ok. Not all software experts need to be security researchers.

Pizzas are going to be cancelled

Let's hope eloh gets his 'za this time around.

LART

Someone remind me to go after this fucker with a baseball bat when he gets out. Let's see how well he hacks and trolls with his hands and arms shattered.

Re:It could be unauthorized access, here's the log

I'm not sure I agree with the path of logic.

"If we consider the url trick to be operation that normal people would not do"
      Consider an example of reading a blog where the url contains ?entry=1, ?entry=2,... to access sequential stories.
            It seems 'normal' to adjust the URL to access another story if that is more easier.
            Using a program to download a whole group of stories seems fair as well.
                    Even if the program is also finding out which entry numbers work and which don't along the way.
      Point is that the access method seems fair.
          The issue is the actual data being accessed.

Perhaps calling this unauthorized access sets the bar too low for what is acceptable security for the owner of the server.

EFF due to be banned from freenode for this.....

[WarOfTheNerd4850]

Pretty sure Freenode/OFTC are happy with the results as they are. Lilo bicycle havoc and links to Saddam Hussein porn notwithstanding xD

Bad poetry? Not even mildly awful.

[zooblethorpe]

The brief describes how a web request is like asking a librarian for a book.

That doesn't hold a candle to truly bad poetry. Allow me to remind you:

Oh freddled gruntbuggly,
thy micturations are to me
as plurdled gabbleblotchits on a lurgid bee.

Groop I implore thee, my foonting turlingdromes. And hooptiously drangle me with crinkly bindlewurdles,
Or I will rend thee in the gobberwarts with my blurglecruncheon, see if I don't!

And hey, let's not forget that Terran master's work:

The dead swans lay in the stagnant pool.
They lay. They rotted. They turned
Around occasionally.
Bits of flesh dropped off them from
Time to time.
And sank into the pool's mire.
They also smelt a great deal.

Now that's much more delictably terrible, as poetry goes.

This law is broken.

[hessian]

AT&T wants us to believe that because their website was so insecure that feeding it sequential data would reveal private customer information, the problem can be solved by throwing the "hacker" -- who notified them immediately and did not leak the customer information -- into jail.

Yeah, right. The overseas hackers aren't going to even care that much. They'll take your information, use it to rob you blind, and presumably AT&T will cover it up, since their response has not been to address the actual problem in this case.

Weev is caught in the crossfire. American industry wants to have government protect it from its own sloppy coding. The truth is that protecting industry encourages more sloppy coding, which then helps the Chinese hackers who are robbing us blind.

FREE WEEV!

Penalty too high, and amicus brief silly

[raymorris]

The penalty in this case was too high, even for a repeat offender.

I read the amicus brief with interest and it first it seemed like they had some good points. After thinking about it, I realized their arguments are kind of silly.

Their argument hinges on the idea that Weev couldn't have known that downloading the personal of hundreds of thousands of people was unauthorized. Seriously? They imply that because Weev COULD access it over the web, he thought he was supposed to. His statements afterwards make it very clear he knew it was unauthorized access and therefore illegal.

They also pretend that they missed Criminal Law 101, where they learned about criminal intent, known as mens rea. They pretend to believe that Consumer Reports testing toasters is the same thing as hacking people's professional information, over 100,000 times, then distributing that personal data. Anyone with a grain of common sense can plainly see they are completely different.

if your car is unlocked, stealing your stereo is o

[raymorris]

So by your thinking, if you leave your car unlocked, which is a dumb thing to do security-wise, it's okay for someone to steal your stereo?

Sure, a programmer or two at AT&T did something dumb.
That's orthogonal to what Weev did.

In fact, by your logic, if a 16 year old girl walks down a dark street at night (failing to have proper security), the rapist has done nothing wrong. After all, she should have had better security . Perhaps she should have, but that doesn't make it okay to victimize someone.

would be good to clarify criminal hacking vs. test

[raymorris]

It would be good for everyone to have it very clear where the line is. I have my name on some CVEs, so I qualify as a "security researcher", I suppose. Also, I'm paid to protect my client's systems, so I understand the costs of criminal hacking. I see both sides and from my perspective it would be good to know that I'm protected from frivolous prosecution if I follow responsible disclosure practices, while not giving a free pass to the criminals attacking us.

We have to be careful though - DMCA was designed to be a balance between creators' need to protect their work and service provider's need to provide hosting etc without undo liability, along with _some_ protection against frivolous claims via counter claims. It works well most of the time, but the lack of penalty for bogus claims means it's also abused too often.