Slashdot Mirror
Security Researchers Submit Brief For Andrew "Weev" Auernheimer
USSJoin writes "Andrew Auernheimer (or Weev, as he's often better known) is serving a 41-month sentence under the Computer Fraud and Abuse Act. The case is currently on appeal to the Third Circuit Court of Appeals; his lawyer filed the appellate brief last week. Now, a group of 13 security researchers, led by Meredith Patterson, and including include Peiter "Mudge" Zatko, Space Rogue, Jericho, Shane MacDougall, and Dan Kaminsky, are making their own thoughts heard by the court. They are submitting a brief to the Third Circuit Court of Appeals that argues that not only is Weev's conviction bad law, but if upheld, it will destroy independent security research, and perhaps the rest of consumer safety research as well."
What Weev did was spoof his Browser headers and then send a bogus ID to AT&T's webserver. The dumbasses who wrote and reviewed the code on AT&T's backend were negligent in that they blindly trusted the user input and spit out private information as a result. If that's what the Spec said was supposed to happen, then start climbing the ladder and find out who authorized customer info to be so accessible.
In my mind, the people in charge of code review at AT&T need to be in court answering questions as to what other code they have facing the internet which could be circumvented in a similar way giving away customer info to anyone who can use a common browser plugin and simply change a form variable. This is a clear case of glaring corporate negligence being covered with the Computer Fraud and Abuse Act.
I'm not even sure what the CFAA is supposed to protect, but if it's primary use is to keep people from asking questions about how their private info is stored, and who has access to it, then get rid of it. The only people winning from legislation like that are the ones who would otherwise be sued for negligence.
Join the Slashcott! Feb 10 thru Feb 17!
Yeah, I'm pretty sure that's the point. What in the world makes them think the government and the mega corps that they've merged with wouldn't want to "destroy independent security research" and "consumer safety research"? You think those federal-corporate cockroaches want you shining a light on their clandestine behind-the-fridge data gorging?
Hollywood, Television, has become the dream machine. We need to take that back; each of us is a Dream Machine
I'm finding trouble having sympathy for this guy.
He manipulated URLs to access areas that were not publicly visible. The information that he gleaned by manipulating these URLs was information that any reasonable person would deduce as information AT&T did not intent to make public. Rather than informing AT&T about the vulnerability, he went to Gawker and leaked the information that he gained, victimizing all of those people in the process. Just because someone leaves a door unlocked or open does not give you the right to go in and steal stuff and this is no different. Mens rea is *everything* here; if he had just gone to AT&T or acted responsibly in the disclosure, rather than trolling, he would most likely have never been charged.
As far as the prison sentence goes, he brought that on himself as well. It is *beyond* stupid to swear at a federal judge and call her a "mean bitch" when she is the one that is sentencing you. It is *beyond* stupid to go on a public forum and post that you intent to commit the same crimes again once you get out of prison. Do not complain when you get the book thrown at you after you try to turn the courtroom and the trial into a three-ring circus. Trolling a federal judge is never a good idea.
There is also the matter of his past history. I have not forgotten about what he did to Kathy Sierra or the other women that he made rape threats against. Or the "GNAA". His entire life has been dedicated to griefing people and generally being an asshole and yeah, the judge is going to look at that.
Did he delete the data on AT&T servers? Refine the analogy so the researcher is using a digital camera.