Slashdot Mirror
Is Weev Still In Jail Because the Government Doesn't Understand What Hacking Is?
Daniel_Stuckey writes "Last March, weev, the notorious internet troll who seems to be equally celebrated and reviled, was convicted of accessing a computer without authorization and identity fraud, and sentenced to serve 41 months in prison.'He had to decrypt and decode, and do all of these things I don't even understand,' Assistant US Attorney Glenn Moramarco argued. Here, on a Wednesday morning in Philadelphia, before a packed courtroom, the federal prosecution argued that a hacker should spend three and a half years in prison for committing a crime it couldn't fully comprehend. Previously, Orin Kerr, a law professor at George Washington University and weev's defense attorney, had argued first and foremost that there was no criminal hacking to speak of. According to Kerr, what weev and Daniel Spitler (who pleaded guilty to avoid jail time) had done while working as an outfit called Goatse Security was entirely legal, even though it embarrassed public officials and some of the country's biggest corporations."
They totally sound trustworthy.
Troll is not a replacement for I disagree.
He's in jail because he accessed a crapload of records from ATT he shouldn't have.
Not to say ATT shouldn't have used better security, mind you, but thems the breaks. It's not like the end point he found was big P public. He found it snooping on the traffic from an ipad during sign up.
Further more instead of going to ATT, he went to Gawker first.
So. No.
Non impediti ratione cogitationus.
...particularly for punishing small fries who get in the way of large corporate interests and other big shots.
Along the same lines, we can ask why 'Bidder 70' went to jail for stopping the illegal sale of public land.
"He used some sort of mechanical rodent attached to an electric typewriter to 'click' on some things. It was way over my head so he's guilty of something!"
Purposely trolling, but my point is that the majority of /b/ 's content is illegal, endorsing criminal behavior, or inducing people to kill themselves.
If someone was thrown in jail for something they posted on /b/, they certainly deserve it (if only to send the message that there are consequences to bad behavior,) but as for lenght of jailtime, probably should not be treated the same as ... you know holding a gun to someones head in a game of russian roulette.
The act of dox'ing is often done by people who are "4chan fags" and work for mobile carriers or ecommerce sites, have access to an extremely large amount of identity information, enough to screw over the real people's identity they mess with.
Trolling stops being a "joke" when someone suffers emotional, financial or physical harm. Unfortunately the only the last two have consequences.
No idea about the legal aspects, but given the images that the name brings to mind I think I would pass on its services.
And it blows open in the wind, I can just hop on in to your house and nose around?
The answer, in case you are wondering, is no. While you should take precautions to secure your house, your failure to do so is not the same as permission to enter or do as I please.
Can we please stop this foolishness. Now I'm off to reddit where I can enjoy my free time.
Once more in plain English Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
DRM? No thanks, I'll just get it somewhere else...
Weev is whale turds. He's the lowest of the low, he knows it, and he relishes it. He's like a wolverine, pissing and shitting on the carcass he found, so nobody else will try to eat it, even though he can't stand his own stench.
Which is why it sucks so God Damned much to have to defend his useless ass!
But then, if you can't defend the worst of the worst from clear injustice, then we don't even have the hope of having a republic.
[End Of Line]
If he raped, stole, did drugs, mugged someone, I bet he would get far less time. There are even whole groups of people that get arrested over 60+ times!!!
Don't hack. To do so might mean maximum prison in solitary confinement. You think I'm joking, but that's how afraid these clueless people are. They view hackers as some magic wizards that can open cell doors with thought alone.
Life is not for the lazy.
...for the name of his security company, clicked on the first link, and said "OK, asshole, now you're going down!"
Now insert your own PMITA Prison/Goatse joke here...
Lawrence Person (lawrencepersonh@gmailh.com (remove all "h"s to mail)
http://www.lawrenceperson.com/
Because Netflix isn't pressing charges.
If person A trespasses on person B's property, and then charges them for trespassing, it's not hypocrisy when person C walks in on person D's property and they don't care.
Further more, Alexis Madrigal didn't scrape 110k+ emails from Netflix's customer database.
Non impediti ratione cogitationus.
Maybe they should have told the court that they had no authority to charge or even know any information about the case or the defendant's actions since national security and the safety of entire free world was at stake. That seems to scare every other court off, right?
You're telling me slashdotters don't want to see a troll go to prison?
"If any question why we died, Tell them because our fathers lied."
If someone dangles their genitals while traffic passing by can see, take a picture of, and release publicly while informing the police of the infraction can be arrested for dangling their genitals in public view - I find it completely mind boggling that the same enforcement can't be brought against a company that dangles their genitals on the intraweb.
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
We will look back on things like this and think, "Holy shit, we imprisoned people for that? Man, that was stupid. I'm sure glad I didn't live in that barbaric era of witch-huntery!"
Classic works for me, remove the 'beta' stuff from the url
"First they came for the slanderers and i said nothing."
Here are a couple of differences between what Weev did and what the reporter did.
Reporter
Tried a sequence of numbers totaling maybe 100k in sequence of which most were valid.
The data retrieved is movie genre tags. The use of the data is to translate a number into a string of text to display the Netfix genre code on browsers and apps. There is no privacy concerns or profit potential for this data.
Each data point retrieved is designed to be used by millions of people. Anyone with "Japanese Horror Movies" in their list would use code 10,000.
Weev
Tried millions of possibilities of which most were invalid
The data downloaded was valid email addresses of over 100k people. This is a serious privacy breach as these emails can be used as identity on many web sites and sold to spammers which will facilitate spam.
The data is designed to be used by the owner of the phone as identified by the IMEI and not anyone who can spam enough possible IMEIs to fins a valid one.
Sorry but these are very different things. The Netflix database was meant to be public while the iPad one was not.
"Classic works for me, remove the 'beta' stuff from the url."
Be careful, or you'll be tossed in jail for hacking /.
If I find a bunch of people's personal information, and throw it online somewhere, I probably will be.
"First they came for the slanderers and i said nothing."
What he did seems rather grey to me. I don't exactly buy the argument that this was legit access. Especially when he went and downloaded 140,000 some email addresses.
41 months does seem like a ridiculous sentence for stealing some freaking email addresses though. Is it really supposed to be worse just because he got Michel Bloomberg's email address? Isn't punishment supposed to be based on harm done? For a crime, this sounds pretty penny-anty.
AccountKiller
In 1997, MT&T launched RADSL service Mpoweredpc.net(7mbps down, 1.088mbps up $45mo)t; As a customer they gave me a printout of a url for my account information. I modified a few random looking numbers on the URL and sure enough, it was an ID for other customers profiles(could go through them all)!! I even had access to their original email passwords(if they had not changed them, I knew this from my own profile).
I immediately reported it to the company, and even sent several follow up emails, yet it took them a good 6 months for them to close the security 'hole'.
There's something to be said for going public, it makes companies get their asses in gear... Better news sites than hacker ones of course, not that back then it would have done anything, as IT news was pretty weak).
Sorry but these are very different things. The Netflix database was meant to be public while the iPad one was not.
The fact is both were on web servers. The entire point of a web server is to handle requests, if you don't want something publicly accessible, begin by not putting it online. How are we to determine what is or isn't authorized? If you put something online, and later say that someone wasn't supposed to access it, who is liable?
The data is designed to be used by the owner of the phone as identified by the IMEI and not anyone who can spam enough possible IMEIs to fins a valid one.
If only there were some way to flag and block repeated attempts... this is about as brilliant as those folks who decided using a Social Security Number as a means of identification.
TL;DR Defending negligence will not improve things.
Man blir trött av att gå och göra ingenting.
if you don't want something publicly accessible, begin by not putting it online
So no online banks, credit card companies, etc. Just because it is on the web does not mean it is public.
Defending negligence will not improve things.
Defending people who exploit negligence does not improve things either. In my opinion there should be consequences for both Weeve and Apple.
... people can claim that they did not know how to do witchcraft, but they could point out to the judge which person were witches which were not.
In the 21st century, people can claim that they do not know how to hack, but they can tell the court who are the hackers and who are not.
As if people never learned any lesson from what had transpired three long centuries ago.
Muchas Gracias, Señor Edward Snowden !
So no online banks, credit card companies, etc. Just because it is on the web does not mean it is public.
Absolutely it does, it's implicit when it's on the web (short for World Wide Web) especially without authentication (doesn't that usually involve username + password?). Ultimately I believe you're arguing about intent of the organization, something the web server and client know nothing about. Requests (not demands) are received, and the web server replies. Private networks are just that, not publicly accessible. This is the digital equiv. of driving down various streets (publicly accessible addresses) incrementally and being provided with information at the end.
How is an organization not responsible for what they put online, after all are they not the ones solely authorized to determine what they want to provide others access to? It's not like this involved a username and password like the online banks or credit cards do.
Remember those folks who would share out their entire drives on file sharing networks? It's not up to a client to determine validity of who is or isn't authorized - that's the job of the people configuring the server. It is up to the entity operating the server to ensure that data is protected, authentication isn't anything new, especially robust systems. Would you defend the government for making a system where simply using a street address would allow one access to information (taxes etc.)? How about your Bank? Explain your reasoning, please.
Defending people who exploit negligence does not improve things either.
What does this have to do with my point, you think I like this asshole? Are you under the impression that making an example out of this guy will somehow improve things? If that were the case simply putting a guy through the system, the first time, would've sent the message loud and clear! If you're a customer of this company after this, you're crazy but I can understand how you'd be upset; although you should really focus on WHY THIS HAPPENED. You're ready to punish him for what amounts to an embarrassment. Also, you included email addresses in your rant, FYI email addresses are not private information. They're as private as a phone number is (something listed in directories and/or published in books).
You make a point of mentioning that this occurred thousands of times. What if you clicked on a link via a URL shortening service that directed you to one of these links, do you think you should be put in jail? Is it an exploit only if you do it x number of times? Do you think you should be liable for fraud for entering IMEI#s? What about accessing a website or service when its really busy (DDOS)? What about visiting slashdot and typing in an account name that's a misspelling of yours which happens to have the same password? Swap out slashdot with your bank of choice. Is it criminal now since it's "unauthorized access" of a computer system?
Lazy/incompetent/unprofessional people get no sympathy from me, they've earned this, and the company (developers, sysops, and managers in charge of these systems) need to own up to their shitty half baked design and policies. They deserve to get their feet held to the fire. If they're unable to perform, there isn't a shortage qualified people who would jump at a chance to take their places in a fucking heartbeat.
Man blir trött av att gå och göra ingenting.
There is no difference to physical entity to electronic entity. Or are you pretending we need MORE law to regulate electronic/internet entity ? No ? Then imagine if I was telling you this :
"Any door that is unlocked is not a free for all. Openning and entering that door is not trespassing at all. And he had no legal requirement to notify the door owner first. "
We have already enough law on the book. If youa re accessing a direct URL and manipulate URL to see what is not normally accessible thru the public portal by a link, you are trespassing. Any "but it is not behind a lock / password" is a bullshit defense.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
If the consequences for weev and Apple/AT&T were roughly proportional, there would probably be a lot less outcry. However, as far as a cursory search reveals, they didn't receive any kind of reprimand other than looking like idiots.
This is my signature. There are many like it, but this one is mine.
Would you defend the government for making a system where simply using a street address would allow one access to information (taxes etc.)? How about your Bank? Explain your reasoning, please.
I am not defending AT&T. I think they should be heavily fined and hopefully someone go to jail. I also think that someone who exploited the hole should also be sent to jail and heavily fined. The only people I am defending are the ones who had their information stolen.
Absolutely it does, it's implicit when it's on the web (short for World Wide Web) especially without authentication (doesn't that usually involve username + password?)
There are some authentications that do not use user/password. For example, Paypal Payflow uses a signature which is a single long number that identifies that account and gives authorization for access. It is a single number somewhat like an IMEI.
FYI email addresses are not private information.
Have you ever seen an directory of email addresses? There may be a reason for that. I have looked and I have not found a legal definition one way or the other. By the way, the parallel with phone numbers may be flawed as some numbers are unlisted and not allowed to be published in directories. I believe that the owner of the number must authorize listing the number.
You make a point of mentioning that this occurred thousands of times.
Make that millions of time with millions of different combinations.
What if you clicked on a link via a URL shortening service that directed you to one of these links, do you think you should be put in jail?
That is one URL and not millions of different URLs.
Do you think you should be liable for fraud for entering IMEI#s?
Yes, if the IMEI does not belong to you or you have not been authorized by the owner to use it.
What about accessing a website or service when its really busy (DDOS)?
If most of that load is caused by your servers hitting their servers then yes. If it is by normal browser traffic then no.
What about visiting slashdot and typing in an account name that's a misspelling of yours which happens to have the same password?
Don't you see how this is very different from trying millions of different password combinations? One of the precepts of law is intent. It is pretty easy to show no intent when typing in a few incorrect characters. It is easy to show intents when you create a script that generates millions of possible IMEIs and spams a server with them.
Lazy/incompetent/unprofessional people get no sympathy from me
I completely agree. I also think that people who exploit flaws for the purpose of profit and/or self aggrandizement should be held accountable for their actions.
We are actually not too far apart. In my view the problem was caused by both Weev and AT&T they both should be prosecuted. What do you think?
Agreed. If more people took the stance of "both are wrong and should be punished" maybe something would happen. The "Weev is innocent" chant just muddies the waters and dilutes any pressure to prosecute AT&T.
Honestly, based on all indicators from the press over the last couple years, Weev has been a fairly miserable human being on most accounts, interested in causing disruption and not much else. The New York Times in particular did a very good expose on a number of individuals (Including Weev), covering their behaviors over the last couple of years, and their admitted trolling behaviors.
* http://www.nytimes.com/2008/08...
Here is a gem, highlighting some of his conduct.
Weev, the troll who thought hacking the epilepsy site was immoral, is legendary among trolls. He is said to have jammed the cellphones of daughters of C.E.O.’s and demanded ransom from their fathers; he is also said to have trashed his enemies’ credit ratings. Better documented are his repeated assaults on LiveJournal, an online diary site where he himself maintains a personal blog. Working with a group of fellow hackers and trolls, he once obtained access to thousands of user accounts.
I first met Weev in an online chat room that I visited while staying at Fortuny’s house. “I hack, I ruin, I make piles of money,” he boasted. “I make people afraid for their lives.” On the phone that night, Weev displayed a misanthropy far harsher than Fortuny’s. “Trolling is basically Internet eugenics,” he said, his voice pitching up like a jet engine on the runway. “I want everyone off the Internet. Bloggers are filth. They need to be destroyed. Blogging gives the illusion of participation to a bunch of retards. . . . We need to put these people in the oven!”
I don't know why people would do, or admit, things such as what the New York Times describes (usually it involves some kind of mental disorders)...but in the end, it all caught up to him.
I started at the NYtimes link and it wore me out; it was supposedly about Weev, going from "a hero", to /b/, to Lulz and that was just the prep, I didn't care to read any more about it.
http://www.nytimes.com/2008/08...
I am not defending AT&T. I think they should be heavily fined and hopefully someone go to jail. I also think that someone who exploited the hole should also be sent to jail and heavily fined. The only people I am defending are the ones who had their information stolen. ... In my view the problem was caused by both Weev and AT&T they both should be prosecuted. What do you think?
Jail I believe should be for violent offenders exclusively, jail time for accessing something, even millions of times is ridiculous. If he obtained protected information (cardholder data, SSNs) maybe, but if it isn't "protected" (say an email, first and last name, type of phone etc.) or doesn't come with any terms, it's fair game and the blame for the boring disclosure resides solely with the company since each request was authenticated by them. We have far too many people in Jail as it is. We're the world leader's in incarcerations and it's a dirty ass privatized business which I don't want to support when we can put these people to work, and fines do a wonderful job along with some community service. If that's the case Google needs to go to jail for indexing, and bing too since bing fed itself off of google. There was no exploit, this was the system operating as intended, supply it with an IMEI and get info. You want someone in jail for randomly trying publicly accessible page, incrementally, much like what google does with google maps mapping vehicles. Why isn't this illegal, it's occurring on public roads, too!? They make copies of the data accessible at these locations, or to use your words, they "steal the information" (addresses are personally identifiable information, but also public).
There are some authentications that do not use user/password. For example, Paypal Payflow uses a signature which is a single long number that identifies that account and gives authorization for access. It is a single number somewhat like an IMEI.
Authentication is a fuzzy thing, quick google returned: Authentication is the act of confirming the truth of an attribute of a datum or entity. By entering the IMEI this satiated the authentication, pretty shitty authentication. "Yup, address is good!". In regards to the paypal thing, btw paypal isn't a bank in the majority of the countries they do business in. In order to obtain this signature you need to create an account though, which requires a few pieces of information something an IMEI doesn't require. The signature seems like a token and is part of an authentication scheme, not simply a (terrible) username. The first 8 digits of the IMEI are assigned to manufacturers and made public (pretty good for something "private"!), and Apple, for instance, tends to do 'batch' naming for the rest, so if you have one iPhone IMEI you can guess all the others from that batch just by incrementing. That's a terrible authentication idea there, lou.
That is one URL and not millions of different URLs.
So if each person (in a large pool of say 250k) accesses one URL, with an IMEI that was generated, it's cool? Rape is cool the first time around then too, eh? This conflicts with below :P
Yes, if the IMEI does not belong to you or you have not been authorized by the owner to use it.
Why would I need permission since they can be derived? It's not something that's secret, or is protected, or has any expectation of privacy, it's even broadcast (to the carrier). Otherwise sites like this http://www.imei.info/ wouldn't exist. Think they burn all of those "passwords"?
Don't you see how this is very different from trying millions of different password combinations? One of the precepts of law is intent. It is pretty easy to show no intent when typing in a few incorrect characters. It is easy to show intents when you create a script that generates millions of possible IMEIs and
Man blir trött av att gå och göra ingenting.
Ok then is it hacking if I open http://facebook.com/Some.Rando...
what makes it hacking or not? if theres a direct link on other page?
world was created 5 seconds before this post as it is.
BTW The New York Times is a troll generator, it causes imitation by feeble minded losers by devoting articles to these rookies.
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
So no online banks, credit card companies, etc.
Sure, if your bank is dumb enough I can walk up to a teller and say "hey, my account is 1234 give me all my money" and they do so, no questions asked, and not even asking to see my ID. And then I walk to the next teller and say "hey my account is 1235..."
In that case we're doing the world a favor by banning them from the internet.
If I have been able to see further than others, it is because I bought a pair of binoculars.
many insurance companies will find you liable if you don't properly secure your house and will fail to compensate you for your loss. I don't think you realize that there is a burden on the victim to ensure that they practice adequate security.
Seems there is a prevalent feeling on Slashdot that if you leave yourself exposed, wittingly or unwittingly, then the folks who take advantage of that exposure should not be held accountable, should get the benefit of the doubt, or in some cases, even celebrated.
The principal at stake here is the social contract of Trust. We trust each other to not harm one another in everyday life. I trust the clerk at the gas station to not bash me in the head with a bat. He trusts me to not do the same. I trust that the people I invite into my house won't go through my stuff, that they will respect my privacy, and won't steal anything, etc.
People who violate this trust are called criminals, thieves, murderers, etc. Despite what the News says, this does not occur all that often. If it did then we'd be like Somalia. It's why we can function as a society.
Whatever the circumstances that led to this guy accessing, downloading, and keeping the information, he violated the general trust that we all have that others won't mess with our shit, even if we leave it exposed. He also violated the law, which says, in a nutshell, don't fuck with other people's shit.
If you want to use the unlocked door analogy, what did not do was leave a nice note for the owner saying, "hey, I found your door was unlocked". Instead, he went inside and took stuff, then put up posters all around the neighborhood telling people the door was unlocked, which door it was, and what stuff he took.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
wtf. i actually didn't hate beta until i tried to post this snide remark. but now i have to enter a subject for my replies? seriously, wtf?
Defense Lawyer: I'd like to call the prosecutor to the witness stand.
Prosecutor: Objection
Judge: This is completely out of bounds.
Defense Lawyer: Your honor, if you would just allow this for a minute...
Judge: Agreed.
(Prosecutor takes witness stand)
Defense Lawyer: Exactly which law is my client accused of breaking?
Prosecutor: The computer security and fraud act.
Defense Lawyer: And exactly how did my client break this law?
Prosecutor: He hacked into the NY Times and stole email addresses.
Defense Lawyer: You misunderstand me. I'm asking for you to describe exactly what actions were taken by my client to hack into the NY Times and steal email addresses, because I am not convinced that any so called hacking took place.
Prosecutor: Ernmmmm. Uh...
Defense Lawyer: Move for a mistrial your honor!
If telephones are outlawed, then only outlaws will have telephones.
Sure, if your bank is dumb enough I can walk up to a teller and say "hey, my account is 1234 give me all my money" and they do so, no questions asked, and not even asking to see my ID. And then I walk to the next teller and say "hey my account is 1235..."
Remember it's not the bank's money. It is the money of the account holder.
They made their bathroom walls out of glass and then complained that he was a peeping tom for setting up a webcam from across the street. Scuzzy? yes, but not illegal.
It varies by state. But...
Pointing a webcam at an uncovered bathroom or bedroom window generally IS explicitly illegal. It will get you busted and into the registered sex offender database.
IANAL but if I undersand this correctly the test is whether the peeped-at has a "reasonable expectation of privacy".
In the all-glass bathroom case you might claim that the bathroom user did not have a reasonable expectation. But what if the switch from opaque walls to glass was made by a contractor and the homeowner was blind? That's the kind of situation we have here, and the accused knew it.
Once upon a time, decades ago, the built-in permission systems of computers were also usually considered (by their users and administrators, before the law got involved) to also assumed to be a presumed-valid expression of intent. My preference would be to have this approach recognized in law - if only to avoid slippery-slopes between users and jail, and to put any blame for security flaws like this on the people designingn and deploying the tools. But then things happened (like WiFi access points being shipped with security features off to reduce service calls by new users), and the law has been going a different way.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
So what if it worked this way...
You're checking your account via the phone. You're asked to enter an account #, but you enter it in wrong. The phone doesn't ask for confirmation, but then says "Press one for your transaction history, press two for registered credit card numbers, etc"
Is it still a HACK in this case, because it's not much different. Maybe add that the number you're calling was unlisted and somebody got it by mis-dialing, but I still couldn't see somebody getting jailed over this if it were over a phone instead of over the 'net.
No because you did not run a script to try millions of different character combinations to find the link. Also the information is obviously meant to be public.
Did you read what I was replying to?
if you don't want something publicly accessible, begin by not putting it online
The poster's contention is that anything online is public and I was showing how some private things are also online.
Legally, I believe it's the bank's money. I'm just a high-priority creditor, and my agreement with my bank makes it my prerogative to put money in my checking account and take it out again at will. In event of bankruptcy, the bank is not criminally liable for not having enough money around to pay all of its depositors.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
So, let me get this straight... Weev was convicted of a "crime" that the government prosecutors cannot explain, nor define, under the law? Talk about stupidity in places of power! Talk about massive injustice! DISGUSTING!!! Then, I find out it really might be a HUGE dislike of him, personally, because he is perceived to be un-repentant? Sounds so much like the witch trials of Salem! There, but for the grace of God, go I!