Security Researchers Submit Brief For Andrew "Weev" Auernheimer

USSJoin writes "Andrew Auernheimer (or Weev, as he's often better known) is serving a 41-month sentence under the Computer Fraud and Abuse Act. The case is currently on appeal to the Third Circuit Court of Appeals; his lawyer filed the appellate brief last week. Now, a group of 13 security researchers, led by Meredith Patterson, and including include Peiter "Mudge" Zatko, Space Rogue, Jericho, Shane MacDougall, and Dan Kaminsky, are making their own thoughts heard by the court. They are submitting a brief to the Third Circuit Court of Appeals that argues that not only is Weev's conviction bad law, but if upheld, it will destroy independent security research, and perhaps the rest of consumer safety research as well."

What Weev did

[wonkey_monkey]

It may have been pertinent to briefly explain what he actually did in the summary - he was the guy who got hold of 114,000 AT&T customer email addresses. Beyond that I don't know much, except that there is some argument over whether what he did was any kind of "hack" - he may have just navigated some exposed folders. Either way, you still probably get less than 41 months for kicking a puppy to death.

Re:What Weev did

[Trepidity]

He was also convicted of conspiracy to distribute those addresses for criminal purposes based on the fact that he... sold them to Russian fraudsters? No: disclosed them to a journalist. I guess the criminal purpose was embarrassing AT&T?

Re:What Weev did

[interkin3tic]

He also broke a gag order. A gag order which sounds like it was intended to bully and bankrupt him into submission.

Just throwing this out there for someone with more legal insight than me: how is it that gag orders are justified when there's not a fear that one of the witnesses is going to get shot by the mob?

Re:What Weev did

[reimero]

The appeal brief (linked above) is worth a read. There's a lot of legal-ese in there (obviously), but it raises some very serious questions (not the least of which is double jeopardy.) There's also the legitimate question of what constitutes "unauthorized" access. From what I can tell, AT&T used those individualized headers as an authentication/authorization scheme, and relied on security through obscurity. Auernheimer changed the headers and gained access to accounts that were not his. There was no other authentication "challenge", no effort made on AT&T's part to verify the authenticity of the header, and no encryption.

Auernheimer is certainly a shmuck, but in this specific instance, I don't think he broke the law, and if he did, it was at worst a misdemeanor. I really think this is AT&T pushing for aggressive prosecution to cover their own tails: that security scheme was so weak that they'd likely have been subject to a lawsuit of their own had they not gone after Auernheimer aggressively.

Re:What Weev did

[Ash-Fox]

Note: I am not the original poster and I am not from or even live in the U.S.

it still doesn't repeal the 4th Amendment.

I don't view what the NSA is a violation of the 4th amendment (was it ever fully confirmed the gathering of data was warrantless, or was it entirely through FBI's warrants?) .

The method of duplicating data they used does not look anything close to a search and seizure to me. Nor do I see persons being deprived of houses, papers, and effects in this intelligence gathering.

I feel that trying to use the 4th amendment to stop this is somewhat weak, the amendment seems more constructed in a form to prevent people from being hassled/harassed and deprived of personal effects. Then there are words like "unreasonable" used, so even if this is considered to be infringing the 'search and seizure' contexts, I am uncertain that this can be considered unreasonable considering the context of what this amendment appears to have been written in.

Now, of course, there are going to be rulings that disagree and agree with me, but my point here is that I feel the 4th amendment argument is actually quite weak in this scenario and feels more like you're trying to use something unrelated to get your way. I should also point out that there have been since a bunch of law changes that give approval to such actions - I don't know if that would make it considered 'reasonable' since it's been approved at various levels of government institutions which are ran by the people.

It would be great to see better arguments than "it still doesn't repeal the 4th Amendment." with no decent explanation as to how the 4th amendment is really involved.

Re:What Weev did

[Jane+Q.+Public]

"There's also the legitimate question of what constitutes "unauthorized" access."

Their first point is the one I feel is most pertinent and carries the most weight: the fact that calling a breach of Terms of Service a "crime" would effectively allow private corporations to write their own laws... something that is very clearly outside not just our Constitution, but our entire historic system of justice, from long before the Constitution was even conceived .

Re:What Weev did

[davydagger]

in other news, a bunch of teenagers who raped another teenager, bragged about it in a video, and put it on the internet get two years(24 months) in juevinile hall)

http://abcnews.go.com/US/steubenville-football-players-guilty-ohio-rape-trial/story?id=18748493

good job America, way to let the world know you have your priorities right.

Stretching the laws for corporations

[sl4shd0rk]

What Weev did was spoof his Browser headers and then send a bogus ID to AT&T's webserver. The dumbasses who wrote and reviewed the code on AT&T's backend were negligent in that they blindly trusted the user input and spit out private information as a result. If that's what the Spec said was supposed to happen, then start climbing the ladder and find out who authorized customer info to be so accessible.

In my mind, the people in charge of code review at AT&T need to be in court answering questions as to what other code they have facing the internet which could be circumvented in a similar way giving away customer info to anyone who can use a common browser plugin and simply change a form variable. This is a clear case of glaring corporate negligence being covered with the Computer Fraud and Abuse Act.

I'm not even sure what the CFAA is supposed to protect, but if it's primary use is to keep people from asking questions about how their private info is stored, and who has access to it, then get rid of it. The only people winning from legislation like that are the ones who would otherwise be sued for negligence.

Re:Stretching the laws for corporations

The only people winning from legislation like that are the ones who would otherwise be sued for negligence.

And who do you think wrote the legislation?

Whenever laws like this are written, it's the corporate interests via their lobbyists who write the laws.

Then said Congressman on that particular corporation's buddy list, then submits the law as his own work.

Being a Congressman is a pretty cushy deal - 6 figure income, other people do your work, you get your ass kissed, travel around for free and get entertained, no worries about what the little people go through and it just goes on ....

If it weren't for the fact that I'm a really shitting liar (and couldn't keep a straight face with a platform needed to be elected), I'd jump on the job in a heartbeat!

Re:Stretching the laws for corporations

[Infiniti2000]

Whoa, easy on the vitriol there, bub. Don't let bad design cloud your judgment of the actual case. It matters not how badly the AT&T folks implemented security (or not) on their system. The fact is Weev "stole" it (copied without permission) and then stupidly publicized it. What's more, he "shared it with various interested parties."

As far as I'm concerned, anyone calling their group Goatse Security needs to be punished anyway. I'm not interested in trying to explain to my 6yo what the fuck that means.

Re:Stretching the laws for corporations

[hublan]

Whoa, easy on the vitriol there, bub. Don't let bad design cloud your judgment of the actual case. It matters not how badly the AT&T folks implemented security (or not) on their system. The fact is Weev "stole" it (copied without permission) and then stupidly publicized it. What's more, he "shared it with various interested parties."

If AT&T had left printouts of highly personal data in a dumpster and someone had found it right there, then I don't think you would've had a problem fingering the culprit. AT&T, right? Dumpster diving would certainly not get someone 41 months in the slammer (e.g California v Greenwood).

In other words, it was right there in the open. Hence, the blame lies squarely with AT&T for not properly securing their customers' private information.

As far as I'm concerned, anyone calling their group Goatse Security needs to be punished anyway. I'm not interested in trying to explain to my 6yo what the fuck that means.

Your obvious lack of parenting skills is not his responsibility.

Re:Stretching the laws for corporations

[DarkOx]

I'd say ATT published it when they made it available online via webserver with no effective authentication around it.

LOL. Okay, and.....?

[SomePoorSchmuck]

"...not only is Weev's conviction bad law, if upheld, it will destroy independent security research, and perhaps the rest of consumer safety research as well."

Yeah, I'm pretty sure that's the point. What in the world makes them think the government and the mega corps that they've merged with wouldn't want to "destroy independent security research" and "consumer safety research"? You think those federal-corporate cockroaches want you shining a light on their clandestine behind-the-fridge data gorging?

What this really is

[Zontar_Thing_From_Ve]

In reality this is a just a case of the following:
Researcher finds that Joe Blow has gone out of town and left the door to his house unlocked and open. Researcher publishes this information in a blog along with the address to the house. House gets robbed. Police hold Researcher responsible. Researcher insists it's not his fault that the house got robbed.

Yes it really is that simple.

Re:What this really is

[Culture20]

Did he delete the data on AT&T servers? Refine the analogy so the researcher is using a digital camera.

Re:What this really is

[Trepidity]

No, it isn't really related to that at all. Public-facing web servers, unlike houses, are not by default considered private. The public is expected to and routinely does enter. They are private property, but private property regularly offered to public use. If you require a physical space analogy, sort of like a plaza owned by a corporation, in front of its HQ, which has no fences around it and is regularly accessed by the public.

Re:What this really is

[mi]

Well, if NSA going through your electronic mails — without even touching anything tangible in your house — is a violation of the 4th Amendment, then the distinction you are trying to make regarding copying electronic data is without (much) difference...

Authoritarian governments

...will be the first pwned in a cyberwar because fear will have kept their system from ever being tested.

Sorry

[damicatz]

I'm finding trouble having sympathy for this guy.

He manipulated URLs to access areas that were not publicly visible. The information that he gleaned by manipulating these URLs was information that any reasonable person would deduce as information AT&T did not intent to make public. Rather than informing AT&T about the vulnerability, he went to Gawker and leaked the information that he gained, victimizing all of those people in the process. Just because someone leaves a door unlocked or open does not give you the right to go in and steal stuff and this is no different. Mens rea is *everything* here; if he had just gone to AT&T or acted responsibly in the disclosure, rather than trolling, he would most likely have never been charged.

As far as the prison sentence goes, he brought that on himself as well. It is *beyond* stupid to swear at a federal judge and call her a "mean bitch" when she is the one that is sentencing you. It is *beyond* stupid to go on a public forum and post that you intent to commit the same crimes again once you get out of prison. Do not complain when you get the book thrown at you after you try to turn the courtroom and the trial into a three-ring circus. Trolling a federal judge is never a good idea.

There is also the matter of his past history. I have not forgotten about what he did to Kathy Sierra or the other women that he made rape threats against. Or the "GNAA". His entire life has been dedicated to griefing people and generally being an asshole and yeah, the judge is going to look at that.

Re:Sorry

[CanHasDIY]

As far as the prison sentence goes, he brought that on himself as well. It is *beyond* stupid to swear at a federal judge and call her a "mean bitch" when she is the one that is sentencing you. It is *beyond* stupid to go on a public forum and post that you intent to commit the same crimes again once you get out of prison. Do not complain when you get the book thrown at you after you try to turn the courtroom and the trial into a three-ring circus. Trolling a federal judge is never a good idea.

Yea, it's not like the people who came up with the idea for this country made it the law that every citizen has a right to bitch to and about government agents, right?

Oh, wait...

You know, it's a sad day in America when the exercise of our civil liberties is colloquially considered to be a "stupid" action...

Re:Sorry

[damicatz]

You have the right to free speech. That doesn't mean you have immunity from the consequences of your speech. If you go around telling everyone, during sentencing, that you are going to go and commit the same crime again (regardless of whether you agree it should be a crime or not), the judge is absolutely going to take that into account during sentencing because it indicates a high probability that the person will do the same thing again.

Re:Sorry

[thoriumbr]

Let's pretend you have a million bucks on some bank (do you have, don't you?). The bank says it will protect your money with their lives, and everything is secure. Someday you hear that one researcher (or troll, or terrorist) went to the parking next to the bank, started a sniffer, and discovered that your bank uses unencrypted WIFI networks, so he added a private IP address to its network card and could access all bank servers and read data from any account.
Who would you blame? The bank or the guy?

I still think that Weev is not a saint, but AT&T is to be blamed here. AT&T had to get a hefty fine for gross negligence, putting hundreds of thousands of customers in danger. Weev must be fined too, but serving 41 months of jail time is too much, IMHO.

Re:Sorry

[damicatz]

Both. What AT&T did was stupid and inexcusable from a security standpoint but that doesn't make exploiting it right. As I said, I would have more sympathy if he were a legitimate security researcher who tried to go through the proper channels. As it stands, he is nothing but a troll that has devoted his entire life to making other people miserable and he finally trolled one person too many.

Re:Sorry

[damicatz]

Yes.

http://www.nytimes.com/2008/08/03/magazine/03trolls-t.html?pagewanted=all&_r=0

Re:Sorry

[damicatz]

The problem is, that simply isn't how it works and it has never worked that way.

For example, there is something called the reasonable time and place restriction. If you try to hold a protest in front of the White House at 2am in the morning, you absolutely will be forced away by the police and them doing such is perfectly constitutional. The same goes for a courtroom; you cannot act out in court. If you disagree with a judge, the appropriate process is to appeal that decision. And, furthermore, things you say can be used against you in court (Look up Miranda Warning).

Re:Sorry

[interkin3tic]

Unfortunately, now there's a precedent for sending the next whistleblower to prison, even if said next whistleblower was a saint.

I suppose that probably would have happened anyway, since somehow companies think that a scapegoat will distract from their security lapses.

Re:Sorry

[Glarimore]

He went to Gawker and leaked the information that he gained, victimizing all of those people in the process. Just because someone leaves a door unlocked or open does not give you the right to go in and steal stuff and this is no different.

A door being unlocked doesn't obligate you to inform the owner of the door, nor does is there any reason you can't tell someone else about it.

It is *beyond* stupid to swear at a federal judge and call her a "mean bitch" when she is the one that is sentencing you.

I think that, like with police officers, it is up to a judge to be the "bigger man" and realize that although it is rude, being a dick isn't something someone should get jail time for.

It is *beyond* stupid to go on a public forum and post that you intent to commit the same crimes again once you get out of prison.

It is stupid, but if the "crimes" that landed him in jail should not have lead him to be serving jail time to begin with, I think he has reason to make a big, public hub bub about it. The guy is an asshole, but I don't want any dangerous precedents being set just so he gets punished. Besides, there is nothing to gain from him being in jail.

His entire life has been dedicated to griefing people and generally being an asshole and yeah, the judge is going to look at that.

Maybe we should go ahead and throw Kanye West in jail the next time he getting a moving violation? I mean, the guy is generally an asshole.

Re:Sorry

[oxdas]

He manipulated URLs to access areas that were not publicly visible

They were on public facing servers without any authentication. That is about as "publicly visible" as it gets. He is a stupid, unsympathetic man, but that doesn't change the facts of the case. AT&T left this information on a public server. A home is terrible analogy for a public server. It is more like AT&T left the paper copies of their customer data in a corner the public lobby of their building (that they intended to be private but had not put up any signs or walls, etc) and he saw them and took pictures, then gave the pictures to a reporter. He did not trespass to obtain this information as AT&T placed this information in a public place.

Re:LOL

[sideslash]

If you read those comments in a hostile light, then sure, then it looks like he's up to no good. But just from those snippets, it's ambiguous. As far as the phishing thing, how the heck do you think a security researcher would describe the importance of a vulnerability discovery? It appears that Weev had no intent to use the data maliciously, he just exposed AT&T's wrongdoing to the world. Do you have any evidence otherwise?

Re:LOL

[thoriumbr]

No, Weev is not an independent security researcher, he is a troll. BUT he used the same tools the researchers uses. It's like passing a law outlawing the use of lockpicks. Surely all thieves would be affected, but it would affect locksmiths too.
If Weev loses the appeal, the traffic on full-disclosure mailing list will drop a lot. If I discover a bug on Paypal website that allows anyone to access a third party's account, and I inform Paypal, I would be guilty.
Even Weev being a troll and thinking on making profits over the AT&T mistake, the problem is shifting the blame for exposing the innocent victims from AT&T to Weev. The way this is going, looks like AT&T did everything right, responsible, blameless, and a evil hacker with super-human powers hacked their NSA-grade secured servers and stole the data, when what really happened was that AT&T didn't even bothered to protect the data in any way.

Two words: RESPONSIBLE DISCLOSURE

[MobyDisk]

RESPONSIBLE DISCLOSURE! RESPONSIBLE DISCLOSURE! RESPONSIBLE DISCLOSURE!

We need a law that states what is legally protected responsible vulnerability disclosure. Something that says "If you do it this way you are not a criminal." Something like:

1) Notify the responsible organization.
2) Give them X days.
3) After that, you may optionally notify a responsible government agency or industry organization like CERT.
4) Give them X days.
5) After that, you may go public with the information.
etc.

Anyone in the security industry should already know to do this, but a law would make it clear.

The brief missed a useful use case

The brief describes how a web request is like asking a librarian for a book.
    If the book is non-public she then asks for credentials and if they are ok gives you the book.
        Since the ATT's web server didn't ask for credentials, the web pages were fair game.

This misses another use case.
    It is also possible to include your credentials with the request for the book.
        A librarian would respond to this request for private data just like a request for public data.
          The included credentials could be a big, secure random number, or an obvious small number like the record number.

In some cases a web site uses a simple record number for public data so that a user can access it by providing the record number.
    In this case AT&T used a simple record number for private data which they did not want accessed.

One could argue that they 'locked' the data, but with a cheap lock.
    The thing is, one can recognize a physical lock and know to respect it.
          In this case the web server provided no indication that the data was private.
                In fact, as the brief outlines, it indicated the reverse.

From their reactions, both AT&T and the security guy knew the information contained in the data should not have been public
      The security guy did not benefit for the data, but rather published the problem so it would get fixed
            (Without this, good guys might have walked by this 'lock' but how many bad guys quietly didn't?)
      AT&T reacted to 'kill the messenger' by declaring after the fact that the data was private.

It doesn't seem good law to allow this to stand.
        1) It removes the feedback which closed the security hole.
        2) It allows the server owner to escape responsibility for a poor (perhaps dangerous) design.
        3) It makes it impossible to draw the line for 'normal' versus 'criminal' web browsing for us all.
        4) It leaves a generally harmless guy in jail for violating an after the fact business rule.

Re:LOL

[jklovanc]

Untrue. All he had to do was show the URLs he used to get each address and how the URLs could be changed to get more data. The company would have been able to hit those URLs and confirm that is where the data came from. That would have made it clear that there was a big issue.

He may have been able to get the email addresses from somewhere else but the evidence of the URLs is overwhelming.

Re:LOL

[martyros]

And as the brief actually points out, a person's beliefs about whether what he did was illegal or not are completely irrelevant to whether or not a crime was actually committed. If what you did was illegal, you are punished even if you believe it to be legal; but the converse holds true as well -- if what you did was legal, you should not be punished, even if you believed that it was illegal.

Re:LOL

[jklovanc]

The URL contained the identifier for the phone. Weev fraudulently identified himself as the owner of a phone that was not actually his. He continued to extract information he knew he should not have and then published it. He did not have an obligation to notify the company but he did have an obligation to not send out copies of confidential information that he knew he shouldn't have in the first place. A white hat would notify the company. A black hat would publish the information. Weev did the latter and is therefore a black hat.