Is Weev Still In Jail Because the Government Doesn't Understand What Hacking Is?

Daniel_Stuckey writes "Last March, weev, the notorious internet troll who seems to be equally celebrated and reviled, was convicted of accessing a computer without authorization and identity fraud, and sentenced to serve 41 months in prison.'He had to decrypt and decode, and do all of these things I don't even understand,' Assistant US Attorney Glenn Moramarco argued. Here, on a Wednesday morning in Philadelphia, before a packed courtroom, the federal prosecution argued that a hacker should spend three and a half years in prison for committing a crime it couldn't fully comprehend. Previously, Orin Kerr, a law professor at George Washington University and weev's defense attorney, had argued first and foremost that there was no criminal hacking to speak of. According to Kerr, what weev and Daniel Spitler (who pleaded guilty to avoid jail time) had done while working as an outfit called Goatse Security was entirely legal, even though it embarrassed public officials and some of the country's biggest corporations."

Goatse Security???

[wisnoskij]

They totally sound trustworthy.

Re:Goatse Security???

[ATMAvatar]

Why not? They know all about gaping holes... in security, among other things.

Re:Goatse Security???

[killkillkill]

Maybe they are, but I'll never find out. There's no way I'm clicking that link to learn more about them... Then again, it still might be easier on the eyes than Beta.

Re:Goatse Security???

[artfulshrapnel]

And backdoors.

Re: No.

Any public URL that is unencrypted is not a secret. Snooping on plaintext is not snooping at all. And he had no legal requirement to notify AT&T first. Besides, even if he had, they don't care about security until it goes viral. I notified them of a information leak on their iOS translation app that allowed other apps access to your translations and location data. Not only were they unable to figure out who was responsible for the app, they ultimately told me to call Apple. I tried the support for the app as well as customer service. I email their PR rep too. Zero response.

Re:No.

[Frobnicator]

Further more instead of going to ATT, he went to Gawker first.

This, a thousand times.

When you discover a vulnerability:
* Do not go to the vendor. They will often ignore it or sue.
* Do not go to the school or business. They will ignore it, sue, fire, and expel.
* Do not go to the government. They will imprison.
* Do not go to the Interwebz at large. You get everything above.

Take the exploit and related proof to a trusted, large, well-established security company that accepts anonymous submissions and will publicly disclose the exploit if not addressed within a specific number of days.

Donning CBR Gear

[IonOtter]

Weev is whale turds. He's the lowest of the low, he knows it, and he relishes it. He's like a wolverine, pissing and shitting on the carcass he found, so nobody else will try to eat it, even though he can't stand his own stench.

Which is why it sucks so God Damned much to have to defend his useless ass!

But then, if you can't defend the worst of the worst from clear injustice, then we don't even have the hope of having a republic.

Re: No.

[dnavid]

Any public URL that is unencrypted is not a secret. Snooping on plaintext is not snooping at all. And he had no legal requirement to notify AT&T first. Besides, even if he had, they don't care about security until it goes viral. I notified them of a information leak on their iOS translation app that allowed other apps access to your translations and location data. Not only were they unable to figure out who was responsible for the app, they ultimately told me to call Apple. I tried the support for the app as well as customer service. I email their PR rep too. Zero response.

I'm really uncomfortable with that logic. First of all saying that if all it takes is typing in a URL, then of course its public belies a level of ignorance just as high as the government in this case. "Just a URL" in the modern internet could be anything. SQL-injection is programmatic hijacking of a database server, but it often requires "just a URL." Buffer overflow attacks require just a URL, many apache worms required just a URL to propagate because of the way URL content can be processed. Just a URL is like saying all programs are just notepad documents. It cannot be the case that "if I can get there, then I get to take whatever I want" is the rule of the internet. I read in another article the analogy that AT&T basically put the material on a library bookshelf for anyone to read. That's not a good analogy: a better analogy is weev went to a public library, found that someone forgot to lock the door to the reserve stacks, and decided to go there and take a bunch of books home with him just because he could.

That is not the person I want to be the flag-bearer for my sense of fairness.

Second, giving anyone who points out a failing in others a free pass to point it out by any means is also something I'm really uncomfortable with. If its okay when done to big companies like AT&T and Apple, then its just as okay to do to smaller organizations like your neighborhood grocery store, or your house.

In the 18th century ...

[Taco+Cowboy]

... people can claim that they did not know how to do witchcraft, but they could point out to the judge which person were witches which were not.

In the 21st century, people can claim that they do not know how to hack, but they can tell the court who are the hackers and who are not.

As if people never learned any lesson from what had transpired three long centuries ago.