Slashdot Mirror
Is Weev Still In Jail Because the Government Doesn't Understand What Hacking Is?
Daniel_Stuckey writes "Last March, weev, the notorious internet troll who seems to be equally celebrated and reviled, was convicted of accessing a computer without authorization and identity fraud, and sentenced to serve 41 months in prison.'He had to decrypt and decode, and do all of these things I don't even understand,' Assistant US Attorney Glenn Moramarco argued. Here, on a Wednesday morning in Philadelphia, before a packed courtroom, the federal prosecution argued that a hacker should spend three and a half years in prison for committing a crime it couldn't fully comprehend. Previously, Orin Kerr, a law professor at George Washington University and weev's defense attorney, had argued first and foremost that there was no criminal hacking to speak of. According to Kerr, what weev and Daniel Spitler (who pleaded guilty to avoid jail time) had done while working as an outfit called Goatse Security was entirely legal, even though it embarrassed public officials and some of the country's biggest corporations."
They totally sound trustworthy.
Troll is not a replacement for I disagree.
Any public URL that is unencrypted is not a secret. Snooping on plaintext is not snooping at all. And he had no legal requirement to notify AT&T first. Besides, even if he had, they don't care about security until it goes viral. I notified them of a information leak on their iOS translation app that allowed other apps access to your translations and location data. Not only were they unable to figure out who was responsible for the app, they ultimately told me to call Apple. I tried the support for the app as well as customer service. I email their PR rep too. Zero response.
Ah... no. If I can type the exploit into the address bar and I need no more than autohotkey to download their entire god damned database then that's not a hack. They made their bathroom walls out of glass and then complained that he was a peeping tom for setting up a webcam from across the street. Scuzzy? yes, but not illegal. The government shouldn't have to protect you from what common sense should.
Further more instead of going to ATT, he went to Gawker first.
This, a thousand times.
When you discover a vulnerability:
* Do not go to the vendor. They will often ignore it or sue.
* Do not go to the school or business. They will ignore it, sue, fire, and expel.
* Do not go to the government. They will imprison.
* Do not go to the Interwebz at large. You get everything above.
Take the exploit and related proof to a trusted, large, well-established security company that accepts anonymous submissions and will publicly disclose the exploit if not addressed within a specific number of days.
//TODO: Think of witty sig statement
And it blows open in the wind, I can just hop on in to your house and nose around?
The answer, in case you are wondering, is no. While you should take precautions to secure your house, your failure to do so is not the same as permission to enter or do as I please.
Can we prosecute the NSA for the same crime? Presumably if the prosecutor doesn't fully understand what NSA actually did then that should be good enough to convict.
Weev is whale turds. He's the lowest of the low, he knows it, and he relishes it. He's like a wolverine, pissing and shitting on the carcass he found, so nobody else will try to eat it, even though he can't stand his own stench.
Which is why it sucks so God Damned much to have to defend his useless ass!
But then, if you can't defend the worst of the worst from clear injustice, then we don't even have the hope of having a republic.
[End Of Line]
and well..
quite frankly due to the prosecutor not understanding what he had been doing it's just about punishing for joking around. it should be illegal to prosecute something you can't understand. "I don't know what he did but he sure looks guilty, right!? you must convict!".
circa 1997 this happened to me, sort of. ran a traceroute on the wrong night to see where my emails were routed through(our school mandated the use of an internal email system where server wasn't internal and there was no encryption on the email clients(email client was mandated to be a certain windows email reader). now of course I had my machine full of warez(games and early music warez), winnukes, jolt of the day etc(and had winnuked some people so not totally innocent really of everything).
but what shocked me was the police interrogation, because they tried to make me sign something I had not said, because they did not understand the claims made by the "victim"(city) were impossible to have happened from my actions(and claiming shit like me crashing hospital internal network, hopping a supposed airgap and other stuff that I did not do, they just had some internal meltdown of the windows servers routing the traffic on the same day). the way the interrogation went was "you know what you did, tell us" and 16 year old me going "what the fuck dudes?".
originally they wanted me to confess to something technically impossible and it took them nearly 2 years to figure out that they did not know what to charge me with(and for the prosecutor to deem the investigation incompetently done and drop it, and it cost the state quite a lot for nothing...). I mean, the
posting anon but it's not too hard to figure out who this is for those who know.
anyway, doesn't matter which western country you live in always check what the coppers want you to sign and ask the fuckers to rewrite it to match what you actually said. after that ordeal I was convinced 20-30% of "solved" crimes are just pinned on some druggies in withdrawal who don't read what they sign.
Fuck that. If disclosing it to these people puts yourself at great risk, it's no wonder it just gets uploaded to the most convenient 0day full disclosure community. Then they HAVE to take it seriously. The broken dynamic is the fault of corporates and governments, not 'hackers.'
Ah... no. If I can type the exploit into the address bar and I need no more than autohotkey to download their entire god damned database then that's not a hack
Too bad that is not what happened. He tried millions of possible IMEIs to get the information. That is not far off from a brute force password attack. That was also where the identity fraud charge came from. The IMEI is used to identify the owner of the phone and by using someone else'es IMEI her was fraudulently acting as the owner of the phone.
Any public URL that is unencrypted is not a secret. Snooping on plaintext is not snooping at all. And he had no legal requirement to notify AT&T first. Besides, even if he had, they don't care about security until it goes viral. I notified them of a information leak on their iOS translation app that allowed other apps access to your translations and location data. Not only were they unable to figure out who was responsible for the app, they ultimately told me to call Apple. I tried the support for the app as well as customer service. I email their PR rep too. Zero response.
I'm really uncomfortable with that logic. First of all saying that if all it takes is typing in a URL, then of course its public belies a level of ignorance just as high as the government in this case. "Just a URL" in the modern internet could be anything. SQL-injection is programmatic hijacking of a database server, but it often requires "just a URL." Buffer overflow attacks require just a URL, many apache worms required just a URL to propagate because of the way URL content can be processed. Just a URL is like saying all programs are just notepad documents. It cannot be the case that "if I can get there, then I get to take whatever I want" is the rule of the internet. I read in another article the analogy that AT&T basically put the material on a library bookshelf for anyone to read. That's not a good analogy: a better analogy is weev went to a public library, found that someone forgot to lock the door to the reserve stacks, and decided to go there and take a bunch of books home with him just because he could.
That is not the person I want to be the flag-bearer for my sense of fairness.
Second, giving anyone who points out a failing in others a free pass to point it out by any means is also something I'm really uncomfortable with. If its okay when done to big companies like AT&T and Apple, then its just as okay to do to smaller organizations like your neighborhood grocery store, or your house.
"Classic works for me, remove the 'beta' stuff from the url."
Be careful, or you'll be tossed in jail for hacking /.
I mean, fair enough. But if you can access every customer's record on a massive nationwide system by incrementing a single digit? That strikes me as "basically public". I sometimes exploit the same "hacking" to find the page of a webcomic I want to read if I forget the bookmark.
As the article says: Does he deserve to go to jail? Probably. For this? No.
... people can claim that they did not know how to do witchcraft, but they could point out to the judge which person were witches which were not.
In the 21st century, people can claim that they do not know how to hack, but they can tell the court who are the hackers and who are not.
As if people never learned any lesson from what had transpired three long centuries ago.
Muchas Gracias, Señor Edward Snowden !
yep, there's the good ol hacker "she was asking for it" defense.
the egg would have been all over at&t's face if this info had been released anonymously. but weev had his awesome internet persona to worry about.
someone forgot to tell him the cool part of hacking is not getting caught
The notion is more that AT&T has a responsibility to its customers to diligently protect its customers' sensitive information. It's not really saying that there is nothing wrong with the actions, but rather that the far greater concern is the irresponsibility of the party whose security was so poor.
Let's take this idea to an extreme scenario, albeit one that's not too improbable. For a very long time, a nuclear launch code was actually '00000000.' Let's say some hacker had accessed their network, determined this was the case, and made all of the machines with displays on the network say 'Change the fucking password before you doom us all, you stupid fuckwits.' Who are you going to be angry at, the hacker who intercepted their network, or the party that ignored their responsibility in protecting something that could have potentially destroyed civilization as we know it?
This is my signature. There are many like it, but this one is mine.
Americans are never happy unless you're getting your human sacrifices, eh?
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Seems there is a prevalent feeling on Slashdot that if you leave yourself exposed, wittingly or unwittingly, then the folks who take advantage of that exposure should not be held accountable, should get the benefit of the doubt, or in some cases, even celebrated.
The principal at stake here is the social contract of Trust. We trust each other to not harm one another in everyday life. I trust the clerk at the gas station to not bash me in the head with a bat. He trusts me to not do the same. I trust that the people I invite into my house won't go through my stuff, that they will respect my privacy, and won't steal anything, etc.
People who violate this trust are called criminals, thieves, murderers, etc. Despite what the News says, this does not occur all that often. If it did then we'd be like Somalia. It's why we can function as a society.
Whatever the circumstances that led to this guy accessing, downloading, and keeping the information, he violated the general trust that we all have that others won't mess with our shit, even if we leave it exposed. He also violated the law, which says, in a nutshell, don't fuck with other people's shit.
If you want to use the unlocked door analogy, what did not do was leave a nice note for the owner saying, "hey, I found your door was unlocked". Instead, he went inside and took stuff, then put up posters all around the neighborhood telling people the door was unlocked, which door it was, and what stuff he took.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.