Slashdot Mirror
Is Weev Still In Jail Because the Government Doesn't Understand What Hacking Is?
Daniel_Stuckey writes "Last March, weev, the notorious internet troll who seems to be equally celebrated and reviled, was convicted of accessing a computer without authorization and identity fraud, and sentenced to serve 41 months in prison.'He had to decrypt and decode, and do all of these things I don't even understand,' Assistant US Attorney Glenn Moramarco argued. Here, on a Wednesday morning in Philadelphia, before a packed courtroom, the federal prosecution argued that a hacker should spend three and a half years in prison for committing a crime it couldn't fully comprehend. Previously, Orin Kerr, a law professor at George Washington University and weev's defense attorney, had argued first and foremost that there was no criminal hacking to speak of. According to Kerr, what weev and Daniel Spitler (who pleaded guilty to avoid jail time) had done while working as an outfit called Goatse Security was entirely legal, even though it embarrassed public officials and some of the country's biggest corporations."
They totally sound trustworthy.
Troll is not a replacement for I disagree.
Any public URL that is unencrypted is not a secret. Snooping on plaintext is not snooping at all. And he had no legal requirement to notify AT&T first. Besides, even if he had, they don't care about security until it goes viral. I notified them of a information leak on their iOS translation app that allowed other apps access to your translations and location data. Not only were they unable to figure out who was responsible for the app, they ultimately told me to call Apple. I tried the support for the app as well as customer service. I email their PR rep too. Zero response.
Further more instead of going to ATT, he went to Gawker first.
This, a thousand times.
When you discover a vulnerability:
* Do not go to the vendor. They will often ignore it or sue.
* Do not go to the school or business. They will ignore it, sue, fire, and expel.
* Do not go to the government. They will imprison.
* Do not go to the Interwebz at large. You get everything above.
Take the exploit and related proof to a trusted, large, well-established security company that accepts anonymous submissions and will publicly disclose the exploit if not addressed within a specific number of days.
//TODO: Think of witty sig statement
And it blows open in the wind, I can just hop on in to your house and nose around?
The answer, in case you are wondering, is no. While you should take precautions to secure your house, your failure to do so is not the same as permission to enter or do as I please.
Can we prosecute the NSA for the same crime? Presumably if the prosecutor doesn't fully understand what NSA actually did then that should be good enough to convict.
Weev is whale turds. He's the lowest of the low, he knows it, and he relishes it. He's like a wolverine, pissing and shitting on the carcass he found, so nobody else will try to eat it, even though he can't stand his own stench.
Which is why it sucks so God Damned much to have to defend his useless ass!
But then, if you can't defend the worst of the worst from clear injustice, then we don't even have the hope of having a republic.
[End Of Line]
Fuck that. If disclosing it to these people puts yourself at great risk, it's no wonder it just gets uploaded to the most convenient 0day full disclosure community. Then they HAVE to take it seriously. The broken dynamic is the fault of corporates and governments, not 'hackers.'
Ah... no. If I can type the exploit into the address bar and I need no more than autohotkey to download their entire god damned database then that's not a hack
Too bad that is not what happened. He tried millions of possible IMEIs to get the information. That is not far off from a brute force password attack. That was also where the identity fraud charge came from. The IMEI is used to identify the owner of the phone and by using someone else'es IMEI her was fraudulently acting as the owner of the phone.
Any public URL that is unencrypted is not a secret. Snooping on plaintext is not snooping at all. And he had no legal requirement to notify AT&T first. Besides, even if he had, they don't care about security until it goes viral. I notified them of a information leak on their iOS translation app that allowed other apps access to your translations and location data. Not only were they unable to figure out who was responsible for the app, they ultimately told me to call Apple. I tried the support for the app as well as customer service. I email their PR rep too. Zero response.
I'm really uncomfortable with that logic. First of all saying that if all it takes is typing in a URL, then of course its public belies a level of ignorance just as high as the government in this case. "Just a URL" in the modern internet could be anything. SQL-injection is programmatic hijacking of a database server, but it often requires "just a URL." Buffer overflow attacks require just a URL, many apache worms required just a URL to propagate because of the way URL content can be processed. Just a URL is like saying all programs are just notepad documents. It cannot be the case that "if I can get there, then I get to take whatever I want" is the rule of the internet. I read in another article the analogy that AT&T basically put the material on a library bookshelf for anyone to read. That's not a good analogy: a better analogy is weev went to a public library, found that someone forgot to lock the door to the reserve stacks, and decided to go there and take a bunch of books home with him just because he could.
That is not the person I want to be the flag-bearer for my sense of fairness.
Second, giving anyone who points out a failing in others a free pass to point it out by any means is also something I'm really uncomfortable with. If its okay when done to big companies like AT&T and Apple, then its just as okay to do to smaller organizations like your neighborhood grocery store, or your house.
"Classic works for me, remove the 'beta' stuff from the url."
Be careful, or you'll be tossed in jail for hacking /.
I mean, fair enough. But if you can access every customer's record on a massive nationwide system by incrementing a single digit? That strikes me as "basically public". I sometimes exploit the same "hacking" to find the page of a webcomic I want to read if I forget the bookmark.
As the article says: Does he deserve to go to jail? Probably. For this? No.
... people can claim that they did not know how to do witchcraft, but they could point out to the judge which person were witches which were not.
In the 21st century, people can claim that they do not know how to hack, but they can tell the court who are the hackers and who are not.
As if people never learned any lesson from what had transpired three long centuries ago.
Muchas Gracias, Señor Edward Snowden !
Seems there is a prevalent feeling on Slashdot that if you leave yourself exposed, wittingly or unwittingly, then the folks who take advantage of that exposure should not be held accountable, should get the benefit of the doubt, or in some cases, even celebrated.
The principal at stake here is the social contract of Trust. We trust each other to not harm one another in everyday life. I trust the clerk at the gas station to not bash me in the head with a bat. He trusts me to not do the same. I trust that the people I invite into my house won't go through my stuff, that they will respect my privacy, and won't steal anything, etc.
People who violate this trust are called criminals, thieves, murderers, etc. Despite what the News says, this does not occur all that often. If it did then we'd be like Somalia. It's why we can function as a society.
Whatever the circumstances that led to this guy accessing, downloading, and keeping the information, he violated the general trust that we all have that others won't mess with our shit, even if we leave it exposed. He also violated the law, which says, in a nutshell, don't fuck with other people's shit.
If you want to use the unlocked door analogy, what did not do was leave a nice note for the owner saying, "hey, I found your door was unlocked". Instead, he went inside and took stuff, then put up posters all around the neighborhood telling people the door was unlocked, which door it was, and what stuff he took.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.