Slashdot Mirror
Security Researchers Submit Brief For Andrew "Weev" Auernheimer
USSJoin writes "Andrew Auernheimer (or Weev, as he's often better known) is serving a 41-month sentence under the Computer Fraud and Abuse Act. The case is currently on appeal to the Third Circuit Court of Appeals; his lawyer filed the appellate brief last week. Now, a group of 13 security researchers, led by Meredith Patterson, and including include Peiter "Mudge" Zatko, Space Rogue, Jericho, Shane MacDougall, and Dan Kaminsky, are making their own thoughts heard by the court. They are submitting a brief to the Third Circuit Court of Appeals that argues that not only is Weev's conviction bad law, but if upheld, it will destroy independent security research, and perhaps the rest of consumer safety research as well."
It may have been pertinent to briefly explain what he actually did in the summary - he was the guy who got hold of 114,000 AT&T customer email addresses. Beyond that I don't know much, except that there is some argument over whether what he did was any kind of "hack" - he may have just navigated some exposed folders. Either way, you still probably get less than 41 months for kicking a puppy to death.
systemd is Roko's Basilisk.
At the light of recent events, we are sure the STASI also owns some favors to AT&T....
What Weev did was spoof his Browser headers and then send a bogus ID to AT&T's webserver. The dumbasses who wrote and reviewed the code on AT&T's backend were negligent in that they blindly trusted the user input and spit out private information as a result. If that's what the Spec said was supposed to happen, then start climbing the ladder and find out who authorized customer info to be so accessible.
In my mind, the people in charge of code review at AT&T need to be in court answering questions as to what other code they have facing the internet which could be circumvented in a similar way giving away customer info to anyone who can use a common browser plugin and simply change a form variable. This is a clear case of glaring corporate negligence being covered with the Computer Fraud and Abuse Act.
I'm not even sure what the CFAA is supposed to protect, but if it's primary use is to keep people from asking questions about how their private info is stored, and who has access to it, then get rid of it. The only people winning from legislation like that are the ones who would otherwise be sued for negligence.
Join the Slashcott! Feb 10 thru Feb 17!
Yeah, I'm pretty sure that's the point. What in the world makes them think the government and the mega corps that they've merged with wouldn't want to "destroy independent security research" and "consumer safety research"? You think those federal-corporate cockroaches want you shining a light on their clandestine behind-the-fridge data gorging?
Hollywood, Television, has become the dream machine. We need to take that back; each of us is a Dream Machine
may have been pertinent to briefly explain what he actually did in the summary
In reality this is a just a case of the following:
Researcher finds that Joe Blow has gone out of town and left the door to his house unlocked and open. Researcher publishes this information in a blog along with the address to the house. House gets robbed. Police hold Researcher responsible. Researcher insists it's not his fault that the house got robbed.
Yes it really is that simple.
...will be the first pwned in a cyberwar because fear will have kept their system from ever being tested.
I'm finding trouble having sympathy for this guy.
He manipulated URLs to access areas that were not publicly visible. The information that he gleaned by manipulating these URLs was information that any reasonable person would deduce as information AT&T did not intent to make public. Rather than informing AT&T about the vulnerability, he went to Gawker and leaked the information that he gained, victimizing all of those people in the process. Just because someone leaves a door unlocked or open does not give you the right to go in and steal stuff and this is no different. Mens rea is *everything* here; if he had just gone to AT&T or acted responsibly in the disclosure, rather than trolling, he would most likely have never been charged.
As far as the prison sentence goes, he brought that on himself as well. It is *beyond* stupid to swear at a federal judge and call her a "mean bitch" when she is the one that is sentencing you. It is *beyond* stupid to go on a public forum and post that you intent to commit the same crimes again once you get out of prison. Do not complain when you get the book thrown at you after you try to turn the courtroom and the trial into a three-ring circus. Trolling a federal judge is never a good idea.
There is also the matter of his past history. I have not forgotten about what he did to Kathy Sierra or the other women that he made rape threats against. Or the "GNAA". His entire life has been dedicated to griefing people and generally being an asshole and yeah, the judge is going to look at that.
If you read those comments in a hostile light, then sure, then it looks like he's up to no good. But just from those snippets, it's ambiguous. As far as the phishing thing, how the heck do you think a security researcher would describe the importance of a vulnerability discovery? It appears that Weev had no intent to use the data maliciously, he just exposed AT&T's wrongdoing to the world. Do you have any evidence otherwise?
No, Weev is not an independent security researcher, he is a troll. BUT he used the same tools the researchers uses. It's like passing a law outlawing the use of lockpicks. Surely all thieves would be affected, but it would affect locksmiths too.
If Weev loses the appeal, the traffic on full-disclosure mailing list will drop a lot. If I discover a bug on Paypal website that allows anyone to access a third party's account, and I inform Paypal, I would be guilty.
Even Weev being a troll and thinking on making profits over the AT&T mistake, the problem is shifting the blame for exposing the innocent victims from AT&T to Weev. The way this is going, looks like AT&T did everything right, responsible, blameless, and a evil hacker with super-human powers hacked their NSA-grade secured servers and stole the data, when what really happened was that AT&T didn't even bothered to protect the data in any way.
RESPONSIBLE DISCLOSURE! RESPONSIBLE DISCLOSURE! RESPONSIBLE DISCLOSURE!
We need a law that states what is legally protected responsible vulnerability disclosure. Something that says "If you do it this way you are not a criminal." Something like:
1) Notify the responsible organization.
2) Give them X days.
3) After that, you may optionally notify a responsible government agency or industry organization like CERT.
4) Give them X days.
5) After that, you may go public with the information.
etc.
Anyone in the security industry should already know to do this, but a law would make it clear.
The brief describes how a web request is like asking a librarian for a book.
If the book is non-public she then asks for credentials and if they are ok gives you the book.
Since the ATT's web server didn't ask for credentials, the web pages were fair game.
This misses another use case.
It is also possible to include your credentials with the request for the book.
A librarian would respond to this request for private data just like a request for public data.
The included credentials could be a big, secure random number, or an obvious small number like the record number.
In some cases a web site uses a simple record number for public data so that a user can access it by providing the record number.
In this case AT&T used a simple record number for private data which they did not want accessed.
One could argue that they 'locked' the data, but with a cheap lock.
The thing is, one can recognize a physical lock and know to respect it.
In this case the web server provided no indication that the data was private.
In fact, as the brief outlines, it indicated the reverse.
From their reactions, both AT&T and the security guy knew the information contained in the data should not have been public
The security guy did not benefit for the data, but rather published the problem so it would get fixed
(Without this, good guys might have walked by this 'lock' but how many bad guys quietly didn't?)
AT&T reacted to 'kill the messenger' by declaring after the fact that the data was private.
It doesn't seem good law to allow this to stand.
1) It removes the feedback which closed the security hole.
2) It allows the server owner to escape responsibility for a poor (perhaps dangerous) design.
3) It makes it impossible to draw the line for 'normal' versus 'criminal' web browsing for us all.
4) It leaves a generally harmless guy in jail for violating an after the fact business rule.
"thou shalt not inconvenience anyone with more power than you" is the whole of the law
if you break that law then the powerful people will make you suffer
in our civilized society the powerful people don't get their hands dirty personally so they hire goons to enforce their will
the goons wear uniforms and carry badges to symbolize how they are the extensions of the will of the powerful people, if a goon is useful and vicious enough he can join the ranks of the powerful himself
once you realize how the "law" works then everything else makes sense
If we consider the url trick to be operation that normal people would not do. Further, after url trick, he got access to someone elses account details. It's pretty similar to normal hacking operations -- find gaps in the protection of the data, and once found, utilize the gaps to cause damage. He bypasses security measures by skipping the authentication mechanisms and accessing someone elses account. In this case, every AT&T customer's account details. Once he saw the unauthorized account details, he didn't stop there, but created software to fetch all the data he can find. By this operation, he upgraded himself from normal web user to a software expert, and software experts are supposed to know that unauthorized access to someone elses data is not allowed. Convicting this guy no way changes the status of normal web users as amici thinks, but changes the status of software experts. Experts now need to be more careful about how they publish data. Software experts anyway need to be very careful what data to publish. Giving account details of someone else fetched from AT&T's servers to the press is just very stupid operation for a software expert. I say this is unauthorised access of AT&T's servers, recardless of what response the server is giving. The server configuration just doesn't matter. He bypassed the authentication mechanisms to access accounts of AT&T's customers. Jump from software expert to security researcher is tricky one. As software expert he's clearly breaking publishing rules. If he cannot make the jump from software expert to security researcher, then the conviction is just ok. Not all software experts need to be security researchers.
If Weev loses the appeal, the traffic on full-disclosure mailing list will drop a lot. If I discover a bug on Paypal website that allows anyone to access a third party's account, and I inform Paypal, I would be guilty.
If I discover a bug on Paypal website that allows anyone to access a third party's account, succeeded over 114,000 times over a number of days, made the information public, and I inform Paypal,
FTFY. The issue is not what he did but how many times he did it. The judge in the case even said that he would not have been convicted if he had stopped at a few hundred examples to prove the vulnerability. The volume of what he did crossed the line between white hat and black hat hacking.
Downloading so many addresses may well have been necessary to demonstrate the seriousness of the problem. He could have gotten a list of a few hundred examples simply by doing Google searches and crawls; it would have been meaningless.
Untrue. All he had to do was show the URLs he used to get each address and how the URLs could be changed to get more data. The company would have been able to hit those URLs and confirm that is where the data came from. That would have made it clear that there was a big issue.
He may have been able to get the email addresses from somewhere else but the evidence of the URLs is overwhelming.
And as the brief actually points out, a person's beliefs about whether what he did was illegal or not are completely irrelevant to whether or not a crime was actually committed. If what you did was illegal, you are punished even if you believe it to be legal; but the converse holds true as well -- if what you did was legal, you should not be punished, even if you believed that it was illegal.
TCP: Why the Internet is full of SYN.
You don't seriously believe most journalists are capable of doing that sort of thing?
That doesn't hold a candle to truly bad poetry. Allow me to remind you:
And hey, let's not forget that Terran master's work:
Now that's much more delictably terrible, as poetry goes.
"What in the name of Fats Waller is that?"
"A four-foot prune."
Weev didn't even report the vulnerability to the company before going to the press. Weev also knows of many tech savvy journalists to report it His motivation was to do the most damage possible and get his name in the news. Fixing the issue was not even on his radar.
AT&T wants us to believe that because their website was so insecure that feeding it sequential data would reveal private customer information, the problem can be solved by throwing the "hacker" -- who notified them immediately and did not leak the customer information -- into jail.
Yeah, right. The overseas hackers aren't going to even care that much. They'll take your information, use it to rob you blind, and presumably AT&T will cover it up, since their response has not been to address the actual problem in this case.
Weev is caught in the crossfire. American industry wants to have government protect it from its own sloppy coding. The truth is that protecting industry encourages more sloppy coding, which then helps the Chinese hackers who are robbing us blind.
FREE WEEV!
Futurist Traditionalism
I don't think he had any obligation to notify them. Computer crime should require circumvention of at least some access control. If a company puts private data on the Internet without access control, the company should be fully liable for all consequences of their actions.
The penalty in this case was too high, even for a repeat offender.
I read the amicus brief with interest and it first it seemed like they had some good points. After thinking about it, I realized their arguments are kind of silly.
Their argument hinges on the idea that Weev couldn't have known that downloading the personal of hundreds of thousands of people was unauthorized. Seriously? They imply that because Weev COULD access it over the web, he thought he was supposed to. His statements afterwards make it very clear he knew it was unauthorized access and therefore illegal.
They also pretend that they missed Criminal Law 101, where they learned about criminal intent, known as mens rea. They pretend to believe that Consumer Reports testing toasters is the same thing as hacking people's professional information, over 100,000 times, then distributing that personal data. Anyone with a grain of common sense can plainly see they are completely different.
So by your thinking, if you leave your car unlocked, which is a dumb thing to do security-wise, it's okay for someone to steal your stereo?
Sure, a programmer or two at AT&T did something dumb.
That's orthogonal to what Weev did.
In fact, by your logic, if a 16 year old girl walks down a dark street at night (failing to have proper security), the rapist has done nothing wrong. After all, she should have had better security . Perhaps she should have, but that doesn't make it okay to victimize someone.
It would be good for everyone to have it very clear where the line is. I have my name on some CVEs, so I qualify as a "security researcher", I suppose. Also, I'm paid to protect my client's systems, so I understand the costs of criminal hacking. I see both sides and from my perspective it would be good to know that I'm protected from frivolous prosecution if I follow responsible disclosure practices, while not giving a free pass to the criminals attacking us.
We have to be careful though - DMCA was designed to be a balance between creators' need to protect their work and service provider's need to provide hosting etc without undo liability, along with _some_ protection against frivolous claims via counter claims. It works well most of the time, but the lack of penalty for bogus claims means it's also abused too often.
The URL contained the identifier for the phone. Weev fraudulently identified himself as the owner of a phone that was not actually his. He continued to extract information he knew he should not have and then published it. He did not have an obligation to notify the company but he did have an obligation to not send out copies of confidential information that he knew he shouldn't have in the first place. A white hat would notify the company. A black hat would publish the information. Weev did the latter and is therefore a black hat.
A necessary condition for a computer crime should be the evasion of some access control. Identifiers are not an access control measure. The principle you espouse, namely that people have an obligation to keep confidential information of third parties confidential, is a bad one. If we adopted that, everybody constantly would have to second guess whether some piece of information might be confidential or not.
And in doing so, white hats are aiding the continued privacy abuses of AT&T. As I was saying: in the absence of effective legal remedies, it's only embarrassing disclosures and scandals that might cause companies like AT&T to change their ways. Your white hats are about as moral as Saruman.
If we adopted that, everybody constantly would have to second guess whether some piece of information might be confidential or not.
The crux of the matter is the fact that Weev knew the information was confidential but published it anyway. It is not a grey area whether or not the information was confidential. There is a big difference between finding something on a sidewalk and brute forcing millions of ID possibilities at a server. Weev knew what he was doing was illegal and is not trying to hide behind legitimate security researchers. He could have done it the right way but he decided he wanted the publicity and did it the wrong way.
What he "knew" shouldn't be relevant. What should be relevant is whether he had a contractual obligation to keep the data private or confidential.
There won't be when people like you are done.
That kind of reasoning, too, ends up with licensing requirements and restrictions on professions that should have none of that.
Weev seems to have been a jerk, but he isn't the problem; people like you are: people who are trying to protect the people who are responsible for exposing this kind of data in the first place.
Sorry but your wrong.
For some, but by no means all, laws intent to break it is an important factor.
Bad analogies are like waxing a monkey with a rainbow.
What he "knew" shouldn't be relevant. What should be relevant is whether he had a contractual obligation to keep the data private or confidential.
Weev had a legal obligation to keep the data provate of confidential. If Weev is a security researcher as he claims then he would know the laws surrounding computer intrusion and confidential information. He knew that obtaining, copying and publishing the information was illegal. He can't even try to hide behind "ignorance of the law". What is knew is very relevant. He knew the law, he knew what he was doing was against the law and he did it anyway. In legal terms it falls under intent. Weev indented to break the law and should have to deal with the legal consequences.
There won't be when people like you are done.
Legitimate researchers collect a sample just large enough to prove an issue. What Weev did was collect 1000 times the necessary sample and therefore went way over the line. If you can not see the difference then you have a big problem.
That kind of reasoning, too, ends up with licensing requirements and restrictions on professions that should have none of that.
I would consider the restrictions of not downloading 1000 time the data needed to prove an issue and not sending massive amounts of confidential information to news agencies as very reasonable; and it is the law so no licensing is required. Most legitimate security researches give the company a chance to fix an issue before going public. Weev didn't even do that.
Weev seems to have been a jerk, but he isn't the problem; people like you are: people who are trying to protect the people who are responsible for exposing this kind of data in the first place.
Is there anywhere I have said that AT&T should not be held accountable for the breach? I think there should be class action suit by all the people whose data was breached. That does not mean that what Weev did was OK? No. As the old saying goes "Two wrongs do not make a right".
Weev is a glory hound who broke the law. It is people like you who try to protect black hat hackers that sully the name of true white hat hackers. Weev was not trying to be helpful; He was just trying to get his name in the press.
One can't "sully" the names of either black hat or white hat hackers; you both are apparently either too dumb or too unimaginative to do anything more interesting with computers than look for the PHP coding mistakes of retrained barristas.
I simply want clear, unambiguous lines for what constitutes criminal behavior, and that line should be drawn at the circumvention of access protections. Accessing a public URL without a password should never be illegal, under any circumstances, not to protect "black hats" but to protect folks who, unlike you, actually do interesting things with computers from arbitrary legal prosecution.
you both are apparently either too dumb or too unimaginative to do anything more interesting with computers than look for the PHP coding mistakes of retrained barristas.
You just lost the argument when you resorted to an ad hominem attack. You have shown that your argument is weak and switched to attacking the person.
I simply want clear, unambiguous lines for what constitutes criminal behavior, and that line should be drawn at the circumvention of access protections.
Is entering a building through a door that someone forgot to lock, photocopying a bunch of confidential information and publishing it legal? No. The fact that the URL was not password protected is beside the point. Weev knew that obtaining the data the way he did was illegal.
Accessing a public URL without a password should never be illegal, under any circumstances
I agree to a point. Slamming a server with millions of requests over a number of days, collecting 114,000 email addresses and publishing them should be illegal. It seems that you want to world to be black and white. Sorry but it isn't that simple. Somewhere between inadvertently accessing a URL and trying millions of time is the line between legal and illegal. It is up to the courts to decide where that line is and in this case they decided that Weev's actions were illegal side of that line.
You said that it is important not to "sully" the name of white hat hackers because they supposedly fulfill some important function and accused me of trying to defend "black hat" hackers. I'm saying that I really have no preference between black hat and white hat hackers: I think they're both ineffective at improving security, have dubious motives, and have no reputation that could be sullied. If Weev getting off free would be bad for white hat hackers, it simply doesn't matter.
Physical trespass is defined in terms of crossing a well-defined (usually marked) physical boundary. You are trying to define electronic trespass in terms of what people "know" instead of well-defined boundaries.
And I don't see why Weev should have known that; I and many others have "slammed" servers with hundreds of thousands of requests using sequentially generated numbers, and that has been legal. Harvesting of E-mail addresses from web pages is common and legal as well.
No, I merely want laws that are reasonably well-defined, as opposed to laws that are so vague that almost everybody is a criminal and enforcement becomes arbitrary.
I think they're both ineffective at improving security, have dubious motives, and have no reputation that could be sullied.
It seems that many companies disagree with you on this point. companies like Google pay bounties on zero day hacks reported to them. The only way these bounties can be received is to attempt to hack the software. You may see no difference between white hat and black hat hackers but I and many others do.
Physical trespass is defined in terms of crossing a well-defined (usually marked) physical boundary. You are trying to define electronic trespass in terms of what people "know" instead of well-defined boundaries.
The boundary you are looking for is the port that services the URL request. Just because it is not a physical boundary does not mean that the same principle does not apply. What people "know" goes towards what in legal terms is mens rea. Weev knew what he was doing was illegal and did it anyway.
And I don't see why Weev should have known that;
If he was a legitimate security researcher one would think he would at least read up on the laws surrounding unauthorized computer access and identity fraud. There is also a well known legal axiom that " ignorance of the law is not a defense".
I and many others have "slammed" servers with hundreds of thousands of requests using sequentially generated numbers, and that has been legal. Harvesting of E-mail addresses from web pages is common and legal as well.
Did those server you slammed belong to someone else? Did you have authorization to slam those computers? If the answers are no the count you lucky stars that you have not been prosecuted. Care to cite anything that states attempting slamming a server with " hundreds of thousands of requests using sequentially generated numbers" is legal? It could very well be seen as an attempt circumvent security.
No, I merely want laws that are reasonably well-defined, as opposed to laws that are so vague that almost everybody is a criminal and enforcement becomes arbitrary.
The phrase "reasonably well defined" is a subjective term; it means different things to different people. To me "reasonably well defined" means prosecuting someone who served up several million requests to gain access to 114,000 pieces of confidential information. What does it mean to you? If you can not define what it means to you the you have a weak argument.
Enforcement of all laws is arbitrary. Do you think someone who breaks into a house to find medical supplies to treat an accident victim should be prosecuted for burglary? By the law they did break in and remove items without authorization. Where the judgement comes in is intent and mens rea. Weev intended to break the law for publicity. He got the publicity he wanted and a prison sentence he deserved.
Selling medicine for a disease that you help spreading in the first place doesn't make you the good guys.
So you're saying anybody who accesses a URL may be prosecuted?
It was legal and nobody complained about it. But there was a legal risk.
And that is why the rules you propose are wrong.
And that's why people like you shouldn't be involved in computer security: you have bad judgment.
Selling medicine for a disease that you help spreading in the first place doesn't make you the good guys.
Finding a disease that had yet to become an epidemic and pointing it out to the people who can cure it does make one a good guy. Finding a disease and infecting 114,000 people with it makes one a bad guy.
So you're saying anybody who accesses a URL may be prosecuted?
Read the law. You seem to conveniently ignore the word "unauthorized".
It was legal and nobody complained about it. But there was a legal risk.
Saying it was legal is not proof; it is an opinion. You have no proof that what you did was legal; you just didn't get caught.
And that's why people like you shouldn't be involved in computer security: you have bad judgment.
In by opinion, you have poor judgement in your opinion that a password is the only indicator of computer trespass. Opinions vary. In my opinion willfully exploiting a mistake to gain access to massive amounts of confidential data and publishing that data should be illegal. The courts have agreed.
You're absolutely right. And to remove that legal uncertainty, the laws need to change.
No, it doesn't. "White hat hackers" provide economic incentives for companies to create insecure software and then have it fixed for much less money than if they had to do proper quality control in-house. And prohibitions against "black hat hackers" give them some protection against the risk that results from putting out insecure software. Either both "black hat" and "white hat" hackers should go to jail, or neither. The current situation is the worst of both worlds.
Either both "black hat" and "white hat" hackers should go to jail, or neither. The current situation is the worst of both worlds.
This is your opinion. Again, you see the world as black or white which leads you to the prosecute everyone/prosecute no one extremes.There are actually three three options;
1. Prosecute Everyone.
That would lead to fewer security holes be found before being exploited by criminals.
2. Prosecute no one.
That would leave the door open for criminals to exploit vulnerabilities with no chance of conviction.
3. Prosecute obvious black hat hackers.
In my opinion this is a good compromise between the two other options. It would expose vulnerabilities while keeping consequences for criminal hacking.
As I said: "white hat hackers" are one of the primary reasons we have security holes in the first place; their activities create the economic incentives for companies to release software with security holes in the first place.
You just don't seem to grasp that, although "white hat hackers" helping fix security holes has a short term benefit, it is one of the primary reasons those security holes exist in the first place. Why should a company bother spend lots of money to make my software secure if it can just release it and pay a fraction of what I would pay for quality control to cheap "white hat hackers", and at the same time be shielded from public humiliation by law?
The only way to get companies to pay more attention to security is to raise the risk and the cost of releasing insecure software. Banning "black hat hacking" and allowing "white hat hacking" decreases risk and decreases costs of releasing insecure software, and that is exactly the wrong public policy.
I'm sorry if that argument is too subtle for your simplistic black-and-white world view.
As I said: "white hat hackers" are one of the primary reasons we have security holes in the first place; their activities create the economic incentives for companies to release software with security holes in the first place.
I guess you have never written a large system. Things get missed. It is your assumption that white hats create an incentive. You have no evidence toward that what so ever. It is my opinion that the security holes would be there with or without white hats and that white hats help the public by finding them..
Why should a company bother spend lots of money to make my software secure if it can just release it and pay a fraction of what I would pay for quality control to cheap "white hat hackers",
If there were too many simple security holes then people would move to other more secure software. Or the negligence lawsuits by companies broken into due bad software. Or the lawsuits by customers who's data is exposed due to security breaches. Maybe you should look into the liability issues surrounding security breaches. In one instance a company gave identity theft protection to everyone whose credit card information was exposed. It cost them hundreds of thousands of dollars.
and at the same time be shielded from public humiliation by law?
They would not be shielded if the white hat hackers are not glory hounds like Weev. You continually ignore the point that there would not have been a court case if Weev had stopped at a few hundred email addresses. Perhaps the uncovering a security hole and exploiting a security hole is to subtle for you.