Slashdot Mirror
Security Researchers Submit Brief For Andrew "Weev" Auernheimer
USSJoin writes "Andrew Auernheimer (or Weev, as he's often better known) is serving a 41-month sentence under the Computer Fraud and Abuse Act. The case is currently on appeal to the Third Circuit Court of Appeals; his lawyer filed the appellate brief last week. Now, a group of 13 security researchers, led by Meredith Patterson, and including include Peiter "Mudge" Zatko, Space Rogue, Jericho, Shane MacDougall, and Dan Kaminsky, are making their own thoughts heard by the court. They are submitting a brief to the Third Circuit Court of Appeals that argues that not only is Weev's conviction bad law, but if upheld, it will destroy independent security research, and perhaps the rest of consumer safety research as well."
What Weev did was spoof his Browser headers and then send a bogus ID to AT&T's webserver. The dumbasses who wrote and reviewed the code on AT&T's backend were negligent in that they blindly trusted the user input and spit out private information as a result. If that's what the Spec said was supposed to happen, then start climbing the ladder and find out who authorized customer info to be so accessible.
In my mind, the people in charge of code review at AT&T need to be in court answering questions as to what other code they have facing the internet which could be circumvented in a similar way giving away customer info to anyone who can use a common browser plugin and simply change a form variable. This is a clear case of glaring corporate negligence being covered with the Computer Fraud and Abuse Act.
I'm not even sure what the CFAA is supposed to protect, but if it's primary use is to keep people from asking questions about how their private info is stored, and who has access to it, then get rid of it. The only people winning from legislation like that are the ones who would otherwise be sued for negligence.
Join the Slashcott! Feb 10 thru Feb 17!
Yeah, I'm pretty sure that's the point. What in the world makes them think the government and the mega corps that they've merged with wouldn't want to "destroy independent security research" and "consumer safety research"? You think those federal-corporate cockroaches want you shining a light on their clandestine behind-the-fridge data gorging?
Hollywood, Television, has become the dream machine. We need to take that back; each of us is a Dream Machine
I'm finding trouble having sympathy for this guy.
He manipulated URLs to access areas that were not publicly visible. The information that he gleaned by manipulating these URLs was information that any reasonable person would deduce as information AT&T did not intent to make public. Rather than informing AT&T about the vulnerability, he went to Gawker and leaked the information that he gained, victimizing all of those people in the process. Just because someone leaves a door unlocked or open does not give you the right to go in and steal stuff and this is no different. Mens rea is *everything* here; if he had just gone to AT&T or acted responsibly in the disclosure, rather than trolling, he would most likely have never been charged.
As far as the prison sentence goes, he brought that on himself as well. It is *beyond* stupid to swear at a federal judge and call her a "mean bitch" when she is the one that is sentencing you. It is *beyond* stupid to go on a public forum and post that you intent to commit the same crimes again once you get out of prison. Do not complain when you get the book thrown at you after you try to turn the courtroom and the trial into a three-ring circus. Trolling a federal judge is never a good idea.
There is also the matter of his past history. I have not forgotten about what he did to Kathy Sierra or the other women that he made rape threats against. Or the "GNAA". His entire life has been dedicated to griefing people and generally being an asshole and yeah, the judge is going to look at that.
Did he delete the data on AT&T servers? Refine the analogy so the researcher is using a digital camera.
The brief describes how a web request is like asking a librarian for a book.
If the book is non-public she then asks for credentials and if they are ok gives you the book.
Since the ATT's web server didn't ask for credentials, the web pages were fair game.
This misses another use case.
It is also possible to include your credentials with the request for the book.
A librarian would respond to this request for private data just like a request for public data.
The included credentials could be a big, secure random number, or an obvious small number like the record number.
In some cases a web site uses a simple record number for public data so that a user can access it by providing the record number.
In this case AT&T used a simple record number for private data which they did not want accessed.
One could argue that they 'locked' the data, but with a cheap lock.
The thing is, one can recognize a physical lock and know to respect it.
In this case the web server provided no indication that the data was private.
In fact, as the brief outlines, it indicated the reverse.
From their reactions, both AT&T and the security guy knew the information contained in the data should not have been public
The security guy did not benefit for the data, but rather published the problem so it would get fixed
(Without this, good guys might have walked by this 'lock' but how many bad guys quietly didn't?)
AT&T reacted to 'kill the messenger' by declaring after the fact that the data was private.
It doesn't seem good law to allow this to stand.
1) It removes the feedback which closed the security hole.
2) It allows the server owner to escape responsibility for a poor (perhaps dangerous) design.
3) It makes it impossible to draw the line for 'normal' versus 'criminal' web browsing for us all.
4) It leaves a generally harmless guy in jail for violating an after the fact business rule.