'weev' Conviction Vacated

← Back to Stories (view on slashdot.org)

Posted by Soulskill on Friday April 11, 2014 @05:01AM from the finally-drew-the-get-out-of-jail-free-card dept.

An anonymous reader writes "A few years back, Andrew 'weev' Auernheimer went public with a security vulnerability that made the personal information of 140,000 iPad owners available on AT&T's website. He was later sentenced to 41 months in prison for violating the Computer Fraud and Abuse Act (or because the government didn't understand his actions, depending on your viewpoint). Now, the Third U.S. District Court of Appeals has vacated weev's conviction. Oddly, the reason for the ruling was not based on the merits of the case, but on the venue in which he was tried (PDF). From the ruling: 'Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country's founding: venue. The proper place of colonial trials was so important to the founding generation that it was listed as a grievance in the Declaration of Independence.'"

148 comments

Min score:

Reason:

Sort:

To the point... by msauve · 2014-04-11 05:09 · Score: 5, Informative

Spitler was in San Francisco, California and Auernheimer was in Fayetteville, Arkansas. The servers that they accessed were physically located in Dallas, Texas and Atlanta, Georgia. Although no evidence was presented regarding the location of the Gawker reporter, it is undisputed that he was not in New Jersey.
He was indicted and tried in NJ, despite none of the involved parties being located there.

--
"National Security is the chief cause of national insecurity." - Celine's First Law
1. Re:To the point... by Anonymous Coward · 2014-04-11 05:13 · Score: 0, Insightful
  
  I don't think that is 100% accurate. I'm sure some of the 116,067 emails that were exposed by him are residents from NJ.
2. Re:To the point... by msauve · 2014-04-11 05:24 · Score: 2
  
  How can an AC be expected to actually read the ruling they're commenting on, which specifically addresses his complaint?
  
  There was no evidence at trial that Auernheimerâ(TM)s actions evinced any contact with New Jersey, much less contact that was âoesubstantial.â The Government has not cited, and we have not found, any case where the locus of the effects, standing by itself, was sufficient to confer constitutionally sound venue./blockquote)
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
3. Re:To the point... by ZombieBraintrust · 2014-04-11 05:30 · Score: 1
  
  Doesn't matter. If I rob someone in Alaska who happens to own a house in New York the crime still occurred in Alaska. These people had assets in CA. If they want the protection of NJ law they should keep their assets in NJ.
4. Re:To the point... by parkinglot777 · 2014-04-11 05:35 · Score: 1
  
  Hmm.. I found this one on TFA... I guess it does not matter whether any emails belong to NJ people but rather focus on the effect on NJ people.
  
  The government argued that New Jersey was proper because 4,500 e-mail addresses were obtained from residents there. The authorities claimed that even if the venue was improper, is should be disregarded because it did "not affect substantial rights."
5. Re:To the point... by American+Patent+Guy · 2014-04-11 05:49 · Score: 1
  
  The decision explains: venue attaches to the location where the criminal acts were *committed*, not where the alleged victims resided.
6. Re:To the point... by NatasRevol · 2014-04-11 06:01 · Score: 4, Informative
  
  Actually AT&T exposed the emails.
  
  --
  There are two types of people in the world: Those who crave closure
7. Re:To the point... by Shakrai · 2014-04-11 06:17 · Score: 5, Informative
  
  Actually AT&T exposed the emails.
  After weev modified his user-agent to pass his browser off as an iPad, then wrote a script to throw millions of different ICC-ID codes at AT&T's servers, thereby tricking them into thinking that he was the AT&T customers whose e-mails were exposed.
  AT&T's "security" measures were woefully inadequate, but that doesn't change the fact that calculated and deliberate actions were required to obtain access to information that Mr. Auernheimer and Mr. Spitler knew they had no right to access. They both had the guilty mind (mens rea) required under our legal tradition to sustain a criminal conviction, breaking both the letter and the spirit of the law.
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
8. Re:To the point... by NatasRevol · 2014-04-11 06:22 · Score: 4, Informative
  
  'deliberate actions' don't meet the definition of illegal behavior though.
  They had to be 'accessed without authorization'. Sending different ICC-ID codes is NOT authorization. It's just a query. There was no actual authorization in place, and thus NO ACTUAL LAW WAS BROKEN.
  
  --
  There are two types of people in the world: Those who crave closure
9. Re:To the point... by Shakrai · 2014-04-11 06:31 · Score: 3, Interesting
  
  You're seriously going to argue that even though he had to take deliberate steps to impersonate other people he wasn't accessing information "without authorization"? That's what this boils down to at the end of the day, he tricked AT&T's web servers into thinking he was an AT&T customer, and in so doing obtained access to information about that customer. Then he wrote a script to automate the process and repeated it ~140,000 times.
  I really don't understand why people defend this kid's actions. The Federal prosecution was bullshit, this should have been charged at the State level, but to claim that he's completely innocent when he went out of his way to obtain access to information he knew he had no right to access? That's absurd.
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
10. Re:To the point... by GPS+Pilot · 2014-04-11 06:31 · Score: 2
  
  The proper place of colonial trials was so important to the founding generation that it was listed as a grievance in the Declaration of Independence.
  weev is fortunate that, for once, a court gives a damn about what was important to the founding generation.
  
  --
  That that is is that that that that is not is not.
11. Re:To the point... by NatasRevol · 2014-04-11 06:40 · Score: 4, Interesting
  
  Well, not me, but the appeals court certainly did.
  This paragraphy is on page 10 of the ruling:
  
  The charged portion of the CFAA provides that
  “[w]hoever . . . intentionally accesses a computer without
  authorization or exceeds authorized access, and thereby
  obtains . . . information from any protected computer . . . shall
  be punished as provided in subsection (c) of this section.” 18
  U.S.C. 1030(a)(2)(C). To be found guilty, the Government
  must prove that the defendant (1) intentionally (2) access
  edwithout authorization (or exceeded authorized access to) a
  (3)protected computer and(4) thereby obtained information
  Then his paragraph is on page 12 of the ruling:
  
  Because neither Auernheimer nor his co-conspirator
  Spitler performed any “essential conduct element” of the
  underlying CFAA violation or any overt act in furtherance of
  the conspiracy in New Jersey, venue was improper on count
  one.
  
  I guess you're smarter than them.
  Also, if passing a phone identifier to a query of a web server could access all this information, is that really a 'protected computer'? I'd say no.
  
  --
  There are two types of people in the world: Those who crave closure
12. Re:To the point... by MouseTheLuckyDog · 2014-04-11 06:43 · Score: 1
  
  Incorrect they found that the only venues for a crime are locations where essential elements occur. In the case of the parts of the CFAA violated that would either be the location of the hacker at the time of the hacking, or the location of the hacked machine at the time of the hacking.
13. Re:To the point... by Anonymous Coward · 2014-04-11 06:55 · Score: 1
  
  You're seriously going to argue that even though he had to take deliberate steps to impersonate other people he wasn't accessing information "without authorization"?
  No. But I am going to seriously argue that the server returning the information implies authorization.
  
  And don't give us that "unlocked door" bullshit analogy. This is more like a crazy ex whom I forgot still has access to my house holding a garage sale while I'm out of town. It might be embarrassing to me that such a silly mistake on my part has harmed me so greatly, but that doesn't give me justification to go after the people that my crazy ex sold my stuff to. I go after the crazy ex. The fact that the crazy ex is a computer instead of a person should change nothing.
14. Re:To the point... by Shakrai · 2014-04-11 06:56 · Score: 3, Insightful
  
  Venue was improper. That doesn't mean he isn't guilty, it just means the Federal Government was inept (shocker, I know) and has managed to turn a common criminal into a martyr because they were too stubborn to simply turn this matter over to the authorities in his home state. I suspect the Feds will just prosecute him again in his home Federal District, wherein he will be convicted, though if they were smart they'd let the State authorities handle this matter. AR has a non-controversial computer trespass law that would cover his actions here.
  
  Also, if passing a phone identifier to a query of a web server could access all this information, is that really a 'protected computer'? I'd say no.
  And you'd be wrong. You're looking at this from the geek perspective, rather than the legal perspective. Google the reasonable person standard and mens rea, those are two of the most important building blocks of our legal system. Bottom line: He knowingly accessed information that a reasonable person would have known they weren't entitled to access. He did so by tricking AT&T's servers into thinking he was someone other than himself. The icing on the cake were his own words entered into evidence, wherein he admitted that he knew he wasn't entitled to access the information.
  Don't take my word for any of this, go read the body of evidence against him. It's all publicly accessible via PACER.
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
15. Re:To the point... by American+Patent+Guy · 2014-04-11 07:04 · Score: 2
  
  Well, I was trying to keep it simple, but I don't think this Court of Appeals would agree with you. There is a significant discussion beginning at the bottom of page 14 that addresses, for example, whether the "locus of the effect of the criminal conduct" can confer venue. All this Court decided is that where there was no contact with the prosecutor's chosen venue (New Jersey) other than the alleged victims were located there, that venue was improper. The question of whether the site of the servers improperly accessed could confer venue has not yet been decided.
16. Re:To the point... by NatasRevol · 2014-04-11 07:05 · Score: 0
  
  neither Auernheimer nor his co-conspirator
  Spitler performed any “essential conduct element” of the
  underlying CFAA violation
  If that's not a 'not guilty' by a court that's not passing actual judgement, I don't know what is.
  
  He did so by tricking AT&T's servers into thinking he was someone other than himself.
  That doesn't mean UNauthorized.
  
  he knew he wasn't entitled to access the information.
  
  And yet there's no legal requirement for 'entitlement'. Just unauthorized access.
  Again, there was no authorization process in AT&T's system, so he could NOT have accessed without authorization. AT&T's systems were set up with explicit full authorization in place. Everybody can access everything. Just enter the code.
  
  --
  There are two types of people in the world: Those who crave closure
17. Re:To the point... by hazem · 2014-04-11 07:15 · Score: 1
  
  The meat-space equivalent is something like reporter (who is not Bob's wife) calling a bar and saying, "I'm Bob's wife, is Bob there?"
  That's unethical maybe, but not illegal. Why should it be illegal just because that's done electronically?
18. Re:To the point... by NatasRevol · 2014-04-11 07:22 · Score: 0, Troll
  
  Except that the law *requires* authorization be broken.
  If your door is unlocked AND open, it's not B&E.
  Uh, yeah, the law works perfectly pedantically. Sorry for your obvious ignorance.
  
  --
  There are two types of people in the world: Those who crave closure
19. Re:To the point... by Shakrai · 2014-04-11 07:26 · Score: 2
  
  The meat-space equivalent is something like reporter (who is not Bob's wife) calling a bar and saying, "I'm Bob's wife, is Bob there?"
  A better analogy would be calling AT&T and saying "I'm Bob, can you tell me when my bill is due?" You've impersonated Bob and used it to obtain access to personally identifiable information, you'd be guilty of a number of different crimes in such a circumstance.
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
20. Re:To the point... by maz2331 · 2014-04-11 07:33 · Score: 1
  
  Keep in mind that all his script actually accessed was the login page itself, that the user agent string can be set to anything on any browser, and the request itself was no different from trying to access "http://the.site.com/p?000001" then "/p?000002"... etc. It didn't actually get to the *protected* data itself, and there isn't really any privacy interest or expectation in an email address itself, either.
21. Re:To the point... by NatasRevol · 2014-04-11 07:34 · Score: 1
  
  Please let us know what authorization scheme was broken.
  Or what AT&T put into place to ensure authorization was occurring.
  
  --
  There are two types of people in the world: Those who crave closure
22. Re:To the point... by Anonymous Coward · 2014-04-11 07:43 · Score: 0
  
  No, the law requires you to, and I quote here from (a)(2) of the CFAA:
  "(a)Whoever- [] (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains []"
  It doesn't say "breaks authorization" - it says, accesses a computer without authorization, or exceeds authorized access.
  If you try to argue that you're "authorized" to whatever access you can get by any means you're able to employ, then your argument flies in the face of centuries of accepted law and precedent, as well as common sense.
  And yes, if my door is unlocked, and it is open, you're still breaking the law, because you're trespassing unless you have my authorization to be there. If my door is closed, and you have to open it by even so much as turning a knob and pushing the door open, it's absolutely breaking and entering.
  Try again, fucktard.
23. Re:To the point... by NatasRevol · 2014-04-11 07:50 · Score: 0
  
  So 'exceeding authorized access' isn't breaking access?
  I said going through an unlocked AND open door wasn't B&E. Didn't mention trespassing or that it was legal.
  Read again, illiterate fuck.
  
  --
  There are two types of people in the world: Those who crave closure
24. Re:To the point... by American+Patent+Guy · 2014-04-11 07:57 · Score: 3, Informative
  
  Going a little further: the decision at the bottom of page 15 hints that the litmus test of whether venue would be proper where the server is located is whether there was "some sense of venue having been freely chosen by the defendant." Here, the defendant may not have even known where the server was located. (Do you know where all the servers you access are located when you're using the Internet?) I think the prosecutor would have to show that knowledge on the part of the defendant before he could show that venue was proper.
  Venue is a tricky subject. It is a favorite for law school professors to test upon. I wouldn't presume to ever completely know the subject.
25. Re:To the point... by ganjadude · 2014-04-11 07:59 · Score: 2
  
  and if you are a public location, if you do not lock up behind you, then you have no reason to complain when people go inside. This is a little different than a private home. Im not saying that the kid was within his rights to do what he did, but i dont think your argument is the correct one
  
  --
  have you seen my sig? there are many others like it but none that are the same
26. Re:To the point... by mjtaylor24601 · 2014-04-11 08:05 · Score: 3, Informative
  
  neither Auernheimer nor his co-conspirator Spitler performed any “essential conduct element” of the underlying CFAA violation
  If that's not a 'not guilty' by a court that's not passing actual judgement, I don't know what is.
  Not that I have a particular opinion on the specifics of this case but I think you may have truncated that quote a few words to early
  
  Because neither Auernheimer nor his co-conspirator Spitler performed any “essential conduct element” of the underlying CFAA violation in New Jersey, venue was improper
  I read that to mean "no crime was committed in New Jersey" not "no crime took place".
  
  --
  I wish I were as sure of anything as some people are of everything
27. Re:To the point... by Shakrai · 2014-04-11 08:06 · Score: 1
  
  there isn't really any privacy interest or expectation in an email address itself, either.
  You should familiarize yourself with the term "personally identifiable information"
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
28. Re:To the point... by Shakrai · 2014-04-11 08:35 · Score: 1
  
  If that's not a 'not guilty' by a court that's not passing actual judgement, I don't know what is.
  That's some selective quoting right there, chopping it off at "or any overt act in furtherance of the conspiracy in New Jersey". They didn't conclude that he didn't commit the crime, they concluded that no actions taken in furtherance of the offense were performed in New Jersey.
  
  Again, there was no authorization process in AT&T's system
  It was keyed to only populate the e-mail field when both of the following were present: The user-agent of an iPad's web browser and a valid ICC-ID code belonging to an AT&T customer. They used these two items of information to impersonate AT&T customers and steal their personally identifiable information. Of course, your point is irrelevant either way, because the law doesn't care about "authorization process", it only cares that you accessed information you were not authorized to access. No reasonable person would conclude that they were authorized to access PII under these circumstances, wherein they had to trick AT&T's server into thinking they were somewhere else to obtain the information.
  If this goes to trial again he will be convicted. If he has half a brain he'll cut a plea deal with the US Attorney, save everybody the hassle of another trial, and likely walk away with time already served. Frankly I doubt he'll do that, because he strikes me as exceedingly arrogant, but perhaps he's humbled after some time behind bars.
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
29. Re:To the point... by Anonymous Coward · 2014-04-11 09:20 · Score: 0
  
  So 'exceeding authorized access' isn't breaking access?
  Do you not know how to parse an "or" statement? "Accesses a computer without authorization" OR "exceeds authorized access." One or the other, neither of which require "breaking access controls." Just like "walking into my house through an open door" doesn't require you to smash your way in - you don't have to "break" anything to "exceed your authorized access levels." You just have to do something you're not authorized to do by the owner of the system, and the data.
  
  I said going through an unlocked AND open door wasn't B&E
  That's good, because I said that the door was locked AND closed, which == B&E, which == Illegal. Your counterexample of "but if the door's wide open" is STILL illegal, and is STILL a case of you being someplace you're not authorized to be. Your counterexample changes NOTHING about whether or not you're authorized to be there, and you're just digging the hole deeper, aspie.
30. Re:To the point... by smartr · 2014-04-11 09:28 · Score: 1
  
  In no way shape or form is a "Browser agent" a security measure. Identifying a user's browser agent is not, never was, and never will be a security or authorization method. If you do any web based testing, you can change your browser agent. It's the equivalent of telling another machine what kind of clothes you are wearing. "Hi! I'm wearing firefox 1.0 today." Then AT&T says, "Neat! Since you said you're wearing firefox, you get data we're legally not supposed to give you." Replace Firefox with your browser environment of choice.
  Explain to me how any part of changing a browser agent is, "Accessing a system without authorization", when it is not a method of authorization?
  I'll assume you can tell the difference between black and white and move on to what the docket describes as a "brute force attack". A brute force attack means sending a massive amount of data to find collisions with a ***SECURE*** piece of information. For example, a randomized 64 bit number has over 10 quintillion possibilities. To brute force a 64 bit secure number and get 100,000 results, you would need to try on average 100 trillion numbers for each of those results. In this case, the information in question was an incremental number. For example 1 is a number. 2 is the number after that. 3 is the number after 2, and so on. Counting in a visible parameter is not, never was, and never will be a security or authorization method. If you can see a number, and increment it, that does not give AT&T permission to give data they're legally not supposed to give to you.
  Explain to me how any part of counting is, "Accessing a system without authorization", when it is not a method of authorization?
31. Re:To the point... by Anonymous Coward · 2014-04-11 09:39 · Score: 0
  
  I'm so glad you're not a lawyer. Receiving and possessing stolen goods is just as illegal as stealing them and giving them away in the first place.
  http://en.wikipedia.org/wiki/P...
32. Re:To the point... by Anonymous Coward · 2014-04-11 09:49 · Score: 0
  
  and if you are a public location, if you do not lock up behind you, then you have no reason to complain when people go inside
  Great - In what way was AT&T's server a "public location"? Again - just because you can see my door unlocked & open from the street does not authorize you to walk on in and help yourself to some gumbo from my refrigerator.
  This is not a private home, but it certainly was private property, owned and operated by AT&T, and authorized ONLY for use by their customers and for designated purposes. It was not a public park - despite the fact that you can "see" their website on the public internet. In fact, they took steps to prevent you from seeing the data on the server unless you were authorized; that those steps weren't effective is irrelevant in this case. There was no reasonable expectation that the data was public data, free for anybody to just grab some.
33. Re:To the point... by linuxrocks123 · 2014-04-11 09:51 · Score: 1
  
  This is unsettled law. The CFAA is very vague, so judges have to interpret it, so it's unsettled. Saying it's the "geek perspecticve" is meaningless; expert opinion certainly matters here.
  Until we get a Supreme Court CFAA case, we'll never really know what that stupid law means. Until we know what it means, overzealous prosecutors will be using it to bully people into accepting plea bargins or killing themselves. Aaron's Law appears to be dying in committee. It's a damn shame.
  Think of the intent of the actions here. Did he sell these email addresses to spammers on the black market? No, he contacted the press. These are not the actions of someone who should be sent to jail.
  
  --
  vi ~/.emacs # I'm probably going to Hell for this.
34. Re:To the point... by Anonymous Coward · 2014-04-11 10:05 · Score: 0
  
  User agent string is not a security control, and people like you that try to make it acceptable as one are retards.
  Expose garbage code, publish the results, cause PR nightmares, make security teams scared. It's the only way anything gets fixed.
  Fuck responsible disclosure.
35. Re:To the point... by slimjim8094 · 2014-04-11 11:06 · Score: 2
  
  You're seriously going to argue that even though he had to take deliberate steps to impersonate other people he wasn't accessing information "without authorization"?
  Yes. "Without authorization" is more than "well I wasn't expecting him to ask that question!".
  
  That's what this boils down to at the end of the day, he tricked AT&T's web servers into thinking he was an AT&T customer, and in so doing obtained access to information about that customer.
  No, he sent a query to the webserver, and the webserver did what it was designed to do and answered it. AT&T was the one making the mistake by assuming that all trivially-correctly-formatted requests were from AT&T customers as opposed to actually checking whether the requester was - in fact - a customer (something they could've easily done!)
  
  Then he wrote a script to automate the process and repeated it ~140,000 times.
  Sure. So? It means he knows how to use 'seq' and 'wget'. Would it be different if he changed the number in his browser 140k times?
  
  I really don't understand why people defend this kid's actions.
  Like a lot of prosecutions people complain about, it wasn't really about the "kid" (why does it matter if he's a "kid"?). It's about precedent, and "some queries shouldn't be sent to a webserver, but you don't know what those are until we nail your ass" is a pretty damn bad precedent.
  
  The Federal prosecution was bullshit, this should have been charged at the State level, but to claim that he's completely innocent when he went out of his way to obtain access to information he knew he had no right to access? That's absurd.
  He probably had a suspicion that AT&T didn't mean to provide this access, but they did. This is more like calling up a place and asking what Frank's address is - you may think it's odd that they told you, but in the absence of even trivial checks to see whether you really are Frank, it would be reasonable to conclude that this was intended to be public. After all, they just happily told a member of the public. And no, the user agent is not even a trivial check, since every browser pretends to be every other browser anyway.
  
  --
  I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
36. Re:To the point... by Shakrai · 2014-04-11 12:51 · Score: 1
  
  No, he sent a query to the webserver, and the webserver did what it was designed to do and answered it.
  You're overlooking the part about purposefully manipulating the query in such a fashion as to trick the webserver into thinking you're someone else.
  
  AT&T was the one making the mistake by assuming that all trivially-correctly-formatted requests were from AT&T customers as opposed to actually checking whether the requester was - in fact - a customer (something they could've easily done!)
  AT&T's mistakes do not excuse the actions of the accused.
  
  It's about precedent, and "some queries shouldn't be sent to a webserver, but you don't know what those are until we nail your ass" is a pretty damn bad precedent.
  There's no overly broad precedent here, unless you're trying to claim that prosecuting people for impersonation is a scary precedent.
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
37. Re:To the point... by ganjadude · 2014-04-12 08:11 · Score: 1
  
  it doesnt work that way
  
  when I send a request to the server, I am knocking on your door. You can either tell me I am welcome, or you can refuse entry. If you tell me I am welcome then you cant also try and claim i accessd something without authorization because your server did authorize it
  
  --
  have you seen my sig? there are many others like it but none that are the same
sad day for those who don't like 4chan trolls by Anonymous Coward · 2014-04-11 05:10 · Score: 0

his conviction was BS but he was a blight on the internet
1. Re:sad day for those who don't like 4chan trolls by bmajik · 2014-04-11 05:12 · Score: 4, Insightful
  
  Not liking someone isn't a good enough reason to put them in jail.
  Usually. For now.
  
  --
  My opinions are my own, and do not necessarily represent those of my employer.
2. Re:sad day for those who don't like 4chan trolls by roc97007 · 2014-04-11 05:21 · Score: 5, Funny
  
  From a practical standpoint, it depends on who doesn't like him.
  
  --
  Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
3. Re:sad day for those who don't like 4chan trolls by jeffmflanagan · 2014-04-11 05:48 · Score: 1, Interesting
  
  Not liking someone isn't a good enough reason to put them in jail.
  Then why are people in jail for smoking pot, or being in the wrong location while black?
  People go to jail all the time just because some idiot with power didn't like them.
4. Re:sad day for those who don't like 4chan trolls by Shakrai · 2014-04-11 05:50 · Score: 2, Insightful
  
  Not liking someone isn't a good enough reason to put them in jail.
  He deserved to go to jail. Read the body of evidence against him. This wasn't a simple exposure of a security flaw in AT&T's website. He took deliberate actions to maximize the collection of information, bypassed security measures to obtain said information (that the security measures were woefully inadequate is beside the point, deliberate actions were required to bypass them), and discussed ways to use the obtained information for personal profit with his co-conspirator.
  None of that is to suggest that I agree with dragging him halfway across the country, or even with the Feds getting involved in the first place. His home state (Arkansas) has a computer trespass statute that would have been sufficient to prosecute him under, or the Feds could have at least tried him in his own district. I suspect that the former is what may happen now, since double jeopardy won't apply to a State level prosecution, and if it shakes out fairly he'll get credit for the time served in Federal prison without additional jail/prison time being imposed. First time offender and a non-violent crime after all...
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
5. Re:sad day for those who don't like 4chan trolls by mmell · 2014-04-11 06:04 · Score: 2
  
  Not liking someone isn't a good enough reason to put them in jail.
  He didn't say it never happens. He said it isn't a good enough reason for it to happen.
6. Re:sad day for those who don't like 4chan trolls by RyuuzakiTetsuya · 2014-04-11 06:20 · Score: 1
  
  yet doxxing someone and starting a campaign of threats isn't?
  
  --
  Non impediti ratione cogitationus.
7. Re:sad day for those who don't like 4chan trolls by GodInHell · 2014-04-11 06:56 · Score: 1
  
  Sounds like you probably aren't from the southern U.S.
8. Re:sad day for those who don't like 4chan trolls by GodInHell · 2014-04-11 06:57 · Score: 1
  
  Then why are people in jail for smoking pot, or being in the wrong location while black?
  
  Wait -- back up. You know that one of those two things is actually on-the-books against the law and the other is not, right? I hope. Please?
9. Re:sad day for those who don't like 4chan trolls by bzipitidoo · 2014-04-11 07:27 · Score: 3, Informative
  
  that the security measures were woefully inadequate is beside the point
  On the contrary, we cannot have the law being abused to take the place of security. Too many people would fake the security and rely on the law to make it work. Too many are already doing exactly that. It's a costly and unreasonable burden upon the public. Pay for your own security. That includes designing a reasonable system, implementing it properly so that actually works, and performing tests and audits. Just because perfection is hard is no reason to excuse sloppy security work. DRM, for instance, fails the reasonability requirement. We have had our publicly funded police forces and courts misused to confiscate prescription drugs, improperly demand license fees from users rather than producers (SCO scared and bullied a few users into paying for a license to use Linux), and of course conduct a massive campaign to hold back technology in the name of stopping piracy. ISPs are pretty well free of being burdened with requirements to keep years and years of logs, for fishing expeditions, but there is still danger it could become the law.
  It is also better not have doubt about whether some security effort was meant to be real but was bungled, or was indeed faked and, after being breached, is claimed to have been a real effort all along and therefore the breaches are worthy of prosecution. This is especially true on a system that is not experimental, but is instead an implementation of well known, effective methods. AT&T wasn't doing anything new, no, they just plain blew it. Saves us all a lot of time and money arguing over a pointless aside.
  We even have cases of security law being gamed. We don't need someone setting up a honey pot to snare particular victims, then running to the law to complain that mean, bad people broke in, ask that the seeming perpetrators be thrown in prison, and kick back and watch as the full paranoia and wrath of the law is released upon their enemies.
  Owners should install working locks on their doors and use them, not demand that the government spend enough money, no matter how much, to watch every door all the time because they can't be bothered to spend the trivial amount of money needed to have a working lock.
  
  --
  Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
10. Re:sad day for those who don't like 4chan trolls by Anonymous Coward · 2014-04-11 07:31 · Score: 0
  
  Marked as funny - which it would be, if it weren't true.
11. Re:sad day for those who don't like 4chan trolls by roc97007 · 2014-04-11 08:22 · Score: 1
  
  Thank you. I'll take the Score:5, but it wasn't meant to be funny.
  
  --
  Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
12. Re:sad day for those who don't like 4chan trolls by Shakrai · 2014-04-11 12:27 · Score: 1
  
  How is the law being abused here? Go read the evidence in this case. AT&T set up a system that was designed to automatically populate an e-mail field for the convenience of their customers. They did this by matching two different variables, the user-agent of the iPad web browser and the ICC-ID number from the SIM card contained therein. Two people then discovered that they could fake both of those variables to obtain the personally identifiable information (PII) of AT&T customers. They did this in a deliberate manner while discussing ways of using the obtained information for profit, with ideas ranging from spamming (direct marketing ofiPad accessories to people who obviously owned iPads) to securities fraud (they floated the idea of shorting AT&T's stock when news of the security breech broke) to the enhancement of their own reputation (look how awesome of a security guy I am, I broke into AT&T, buy my consulting services!)
  AT&T's failings are not really relevant here. The process of obtaining the PII was sufficiently complicated as to make it readily apparent that the information obtained was not for public consumption. No reasonable person would conclude that they were entitled to access the PII of AT&T's customers. No reasonable person would discover this security flaw then write a script to automate the collection process while exploring methods of using the obtained information for personal financial gain.
  Your whole argument can be distilled to three words: Blame the victim.
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
13. Re:sad day for those who don't like 4chan trolls by Anonymous Coward · 2014-04-11 13:47 · Score: 0
  
  You're missing the real point which is that the Feds have been using New Jersey as a venue for computer crimes in a number of cases to exploit the CFAA's synergy with state laws to try to enhance their success rate and length of incarceration due to NJ's overreaching state computer crime laws.
  What's the likelihood, double jeopardy arguments aide (which itself may torpedo the case), that the feds will be able to get a conviction now? It's going to be an uphill battle.
14. Re:sad day for those who don't like 4chan trolls by adolf · 2014-04-11 17:13 · Score: 1
  
  I'm a bit of a devil's advocate as I write this, but:
  The law is already responsible for security. When I leave the cheap door locks on my house locked and the windows open (but locked, and because the weather is beautiful), and someone breaks in (by picking the lock, using a metal rod to bypass the locked window, a sledgehammer to knock the doorknob-lock off of the door, or just throwing a brick through the window), the crime is the same as if I had fancy Medeco deadbolts, high-security doors, wrought-iron security cages over the windows, a solid alarm system, and a well-trained attack dog: B&E.
  The reason? As I understand it, it revolves around intent. I intend for my house to be secure, and therefore (in the eyes of the law) it is.
  What makes electronic security different from physical security?
  
  --
  Kid-proof tablet..
15. Re:sad day for those who don't like 4chan trolls by bzipitidoo · 2014-04-12 18:35 · Score: 1
  
  Microsoft makes an especially good example of the results of ignoring security for convenience. Does AT&T deserve leniency and approval for trying to make life convenient? Not when they could have easily had the same convenience with real security.
  Why should the law jump when AT&T whistles? Consider this scenario. Alice leaves the door to her business unlocked, and the lights on, and Steve observes this. Steve sends a fake invitation to Bob for an after hours party at Alice's business. Bob goes, and enters. For some extra fun, Steve also tells Bob where some food is, and that he should help himself to it. Alice throws a fit and calls the police. Now what? Obviously, it's overzealous to arrest Bob for trespassing and looting. The police might do so anyway, for several reasons. Maybe they have to follow a policy that emphasizes getting control of every situation as fast as possible, and so they burst in with guns drawn, scream at Bob and throw him to the floor, and tazer and handcuff him for good measure. Maybe Bob was stupid, should've been suspicious and knocked first, or not gone at all? But that's expecting a lot of Bob. If Alice had simply locked the doors, Bob would've been unable to walk in, and the entire incident would've come to nothing. Alice should shoulder some responsiblity for not making things as clear as easily possible to Bob. No, a "no trespassing" or "closed" sign with hours is not good enough, not when it is so easy to just lock the door. A locked door is the clearer, more universal message, and very easy to do. Not everyone reads the same language, and some can't read at all.
  
  The process of obtaining the PII was sufficiently complicated as to make it readily apparent that the information obtained was not for public consumption.
  No, it isn't safe to assume that. Add one more thing to the scenario above. Steve programs a web page to hide all the complexity, so that Bob can't readily tell he has stumbled into something private. Again, it is so easy to stop both Bob and Steve by just locking the door.
  
  --
  Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
Or in legal parlance by korbulon · 2014-04-11 05:15 · Score: 4, Funny

They invoked the writ of Copus Outus.
1. Re:Or in legal parlance by krlynch · 2014-04-11 05:17 · Score: 5, Informative
  
  Which is more officially the Doctrine of Constitutional Avoidance: http://en.wikipedia.org/wiki/C...
2. Re:Or in legal parlance by SailorSpork · 2014-04-11 05:25 · Score: 2
  
  Yeah, "Don't Make New Laws Unless You Have To" looks like copping out, but is actually something I completely support. When new laws are made, it usually just makes things more complicated, may create unintended/unforeseen consequences, and so forth.
3. Re:Or in legal parlance by korbulon · 2014-04-11 05:28 · Score: 1
  
  Even though there's a name and history for it doesn't make the ruling any more satisfying: "we're letting him go, but don't get the idea that we want to, it's just because we're not willing to make any sort of actual decision about it." But IANAL and all that shit, so what the hell does my opinion as a concerned citizen matter? Best to leave these sort of things in the hands of experts and I will get back to being a tiny gear.
4. Re:Or in legal parlance by Travis+Mansbridge · 2014-04-11 05:41 · Score: 1
  
  Actually, the appeals circuit doesn't reevaluate the evidence of a case but merely whether the letter of the law was followed during the trial. If it wasn't, a new trial begins, and if it was, they may still appeal to a higher (supreme) court.
5. Re:Or in legal parlance by davecb · 2014-04-11 05:42 · Score: 1
  
  Yup: excessive enthusiasm and pilpul don't make a good mixture.
  --dave
  [Hmmn, I'm thinking red/green/refactor may be something legal draftsmen may want to investigate. The conviction was RED, this is GREEN, a good case before a superior court would be the REFACTOR]
  
  --
  davecb@spamcop.net
6. Re:Or in legal parlance by Anonymous Coward · 2014-04-11 05:45 · Score: 0
  
  Constitutional avoidance is specifically about striking down unconstitutional laws and acts. In other words, letting the government continue violating the Constitution if they can find absolutely any other tiny possible way to get out of having to tell the government to "stop doing that".
  Just another reminder that the Constitution is not the law, at best it could be considered the supreme suggestion of the land.
7. Re:Or in legal parlance by c · 2014-04-11 05:52 · Score: 1
  
  Even though there's a name and history for it doesn't make the ruling any more satisfying: "we're letting him go, but don't get the idea that we want to, it's just because we're not willing to make any sort of actual decision about it."
  If you actually read the ruling, footnote 5 strongly suggests that if they'd actually had to make a decision on the actual purported crime, they don't believe the government actually produced any evidence suggesting the New Jersey law was violated.
  
  --
  Log in or piss off.
8. Re:Or in legal parlance by Anonymous Coward · 2014-04-11 07:31 · Score: 0
  
  Here I was thinking that the rule of constitutional avoidance was how the government was justifying the domestic NSA activity.
  Reading it, it makes sense.
Gay niggers rejoice! by Anonymous Coward · 2014-04-11 05:16 · Score: 0, Troll

Free celebratory showings of Gayniggers from Outer Space will be happening near you.
1. Re:Gay niggers rejoice! by MrBingoBoingo · 2014-04-11 05:20 · Score: 0
  
  Finally said without being a Troll comment!
2. Re:Gay niggers rejoice! by Anonymous Coward · 2014-04-11 05:24 · Score: 0
  
  Their mission: to boldly go where no man has gone before.
3. Re:Gay niggers rejoice! by mmell · 2014-04-11 06:07 · Score: 1
  
  Agreed - A/C's all look like they're at -1 to me anyhow . . .
What happens now? by gnasher719 · 2014-04-11 05:22 · Score: 4, Interesting

From Wikipedia: "Relief from judgment of a United States District Court is governed by Rule 60 of the Federal Rules of Civil Procedure.[1] The United States Court of Appeals for the Seventh Circuit noted that a vacated judgment "place[s] the parties in the position of no trial having taken place at all; thus a vacated judgment is of no further force or effect."[2] Thus, vacated judgments have no precedential effect.[3]"

That seems to say that he is now in a legal position as if the trial had never taken place. So can he be taken to court in the proper place now?
1. Re:What happens now? by Registered+Coward+v2 · 2014-04-11 05:31 · Score: 2
  
  From Wikipedia: "Relief from judgment of a United States District Court is governed by Rule 60 of the Federal Rules of Civil Procedure.[1] The United States Court of Appeals for the Seventh Circuit noted that a vacated judgment "place[s] the parties in the position of no trial having taken place at all; thus a vacated judgment is of no further force or effect."[2] Thus, vacated judgments have no precedential effect.[3]" That seems to say that he is now in a legal position as if the trial had never taken place. So can he be taken to court in the proper place now?
  INAL, but from my understanding of double jeopardy he could be retried. It appears to be a procedural error which would allow a retrial; in this case in the proper venue.
  
  --
  I'm a consultant - I convert gibberish into cash-flow.
2. Re:What happens now? by Anonymous Coward · 2014-04-11 05:36 · Score: 0
  
  Wouldn't that be double jeopardy?
3. Re:What happens now? by 93+Escort+Wagon · 2014-04-11 05:39 · Score: 1
  
  No - see the last paragraph in the post you're responding to.
  
  --
  #DeleteChrome
4. Re:What happens now? by un1nsp1red · 2014-04-11 05:43 · Score: 1
  
  It would only be double-jeopardy if he went completely through trial and judgement. Since it was vacated, it was like it never happened.
5. Re:What happens now? by bruce_the_loon · 2014-04-11 05:43 · Score: 3, Informative
  
  If he is retried, he can bring into evidence footnote 5 on page 12 of the judgement where the judges advanced the opinion that he was innocent of the accessing without authorization or in excess of authorization charge because there was no password or code barrier and the program accessed a publicly facing interface and retrieved information that AT&T unintentionally published. It reads that even if they found the venue as correct, they would have vacated the guilty verdict because of that.
  
  --
  Trying to become famous by taking photos. Visit my homepage please.
6. Re:What happens now? by Hentai · 2014-04-11 05:50 · Score: 2
  
  Hmm. Overly-cynical thought:
  Convict him, put him in prison, let him start serving out his sentence, vacate conviction based on venue.
  Re-charge him in the proper venue, put him in jail without bail, let him stew for a few years. Then try him again, convict him again, put him in prison for a year or so again. Then vacate THAT conviction based on another technicality.
  Then re-charge him again, put him in jail without bail again, let him stew for a few more years while you set up a third trial. Then try him again, convict him again, put him in prison for awhile again, then vacate THAT conviction...
  I wonder how long you could play judiciary ping-pong with someone you REALLY didn't like?
  
  --
  -Hentai [in vita non pacem est]
7. Re:What happens now? by Yebyen · 2014-04-11 05:51 · Score: 1
  
  I haven't read the judgement (I am a good armchair lawyer though, have read lots of opinions and regurgitation of other peoples interpretation of the facts) but I am pretty sure that was a part of the New Jersey law, so in any retrial it would be irrelevant, since the standard is lower.
  It would have probably been better for Weev if AT&T's servers actually were in New Jersey, since then this judges would be forced to say what they think about the NJ law as it applies to this case, which is pretty clearly what you said. The password or code - there was no such barrier to access, so no illegal access through forged authorization occurred.
  This barrier requirement is part of the New Jersey law, and the threshold for abuse in the federal statutes is lower. Ah. Here, found it:
  See State v. Riley, 988 A.2d 1252,
  1267 (N.J. Super. Ct. Law Div. 2009) (p12 of the ruling)
  
  --
  Restating the obvious since nineteen aught five.
8. Re:What happens now? by Anonymous Coward · 2014-04-11 05:52 · Score: 0
  
  Even if they couldn't retry him for a federal crime, current Supreme Court definitions of double jeopardy allow the government to try him again for a state crime, possibly once in each state even.
9. Re:What happens now? by Anonymous Coward · 2014-04-11 05:58 · Score: 0
  
  Until their time served is equal to or greater then the punishment they would get. Any competent lawyer would get previous time-served credited towards the new conviction.
10. Re:What happens now? by Shakrai · 2014-04-11 05:59 · Score: 2
  
  The password or code - there was no such barrier to access, so no illegal access through forged authorization occurred.
  He still could have been charged under CFAA, without the felony enhancement (or without it through some other requirement), or any one of a number of state-level computer trespass laws. My home state (New York) has a felony computer trespass law that would apply to the exact same crime committed within our jurisdiction, and Arkansas (weev's home state) has a similar statute.
  As a general rule of thumb the law is less concerned about the specific security measures bypassed and more concerned with whether or not you knew you were entitled to access the information (the record here is clear that he knew he was not) but still took deliberate measures to obtain said access.
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
11. Re:What happens now? by phantomfive · 2014-04-11 06:00 · Score: 1
  
  Convict him, put him in prison, let him start serving out his sentence, vacate conviction based on venue.
  His lawyer should have protested the venue in the first place. That is my understanding of the situation.
  
  Either way I hope 'weeve' learned not to be a griefer. Otherwise he's just a jerk.
  
  --
  "First they came for the slanderers and i said nothing."
12. Re:What happens now? by Anonymous Coward · 2014-04-11 06:13 · Score: 0
  
  Accessing a public facing web page is like accessing a phone book in a public phone booth. You can't tell me I can only look at entries of people I know.
13. Re:What happens now? by Anonymous Coward · 2014-04-11 06:15 · Score: 0
  
  Umm, his lawyer did object to venue and was shot down by the court. Doesn't anyone read anything anymore?
14. Re:What happens now? by mmell · 2014-04-11 06:15 · Score: 1
  
  Two factors - first, does prejudice apply, or was the conviction vacated without prejudice?
  Second - charges brought in New Jersey don't have any bearing on charges brought in California/Arkansas/(anywhere but New Jersey)? Different state, different state laws being applied, different crime being alleged. I doubt that the charges in California would specifically be about the 4,500 New Jersey residents whose personal information was compromised. If necessary, they could simply exclude that evidence as not pertinent to their case and proceed with charges based on all the remaining evidence. Seems ridiculous, but much of US law is like that - swallowing camels whole but straining to swallow gnats is the expression I read somewhere once.
15. Re:What happens now? by mmell · 2014-04-11 06:17 · Score: 1
  
  Until somebody managed to get the sentence vacated with prejudice.
16. Re:What happens now? by Shakrai · 2014-04-11 06:19 · Score: 1
  
  It's not a public facing web page when you have to impersonate someone else in order to access it.
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
17. Re:What happens now? by Yebyen · 2014-04-11 06:28 · Score: 1
  
  Which is just what he didn't do, according to the opinion. I agree, this fact wouldn't be helpful to his case if he was tried in probably any other possible state, other than New Jersey.
  
  --
  Restating the obvious since nineteen aught five.
18. Re:What happens now? by phantomfive · 2014-04-11 06:29 · Score: 1
  
  No, no I did not. Guilty as charged.
  
  --
  "First they came for the slanderers and i said nothing."
19. Re:What happens now? by Shakrai · 2014-04-11 06:39 · Score: 1
  
  He's still guilty of violating CFAA. They just tied it to another State level offense to enhance the underlying charge into a felony. They could have done that with any underlying state law though, so it's kind of moot whether or not he violated the NJ law. He's also guilty of violating Arkansas' computer trespass law, emphasis mine:
  A person commits computer trespass if the person intentionally and without authorization accesses, alters, deletes, damages, destroys, or disrupts any computer, computer system, computer network, computer program, or data.
  Had he been charged under that statute I highly doubt this would have become a national news story. This really shouldn't have become a Federal case, and if the Feds were hell bent on taking it they should have charged him in his home district. Carting him halfway across the country was a dick move, done purely for the convenience of the Federal Government, and it's made a martyr out of a common criminal that nobody would ever have heard of if this matter had been handled at the State level.
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
20. Re:What happens now? by Yebyen · 2014-04-11 06:50 · Score: 1
  
  One has to wonder then, whose idea it was to charge him in New Jersey at all...
  If there's a precedent already in the state court that it's not unauthorized access if there's no code or password stolen... and there's a pretty clear argument that the case doesn't even belong in New Jersey, how did we get here? Some three years of incarceration later!
  (Obviously, the answer is that it's not a crime if a cop does it.)
  
  --
  Restating the obvious since nineteen aught five.
21. Re:What happens now? by Shakrai · 2014-04-11 07:01 · Score: 1
  
  My understanding is it wound up New Jersey simply because the Federal authorities there have more experience with these types of cases. However it happened, I'd concur that it was improper venue. The Feds should have charged him in his own Federal District at the very least, though I'd go further than that and argue that the body of evidence should have been turned over to the authorities in Arkansas for a state level prosecution. Either way, he was entitled to be tried in the jurisdiction where the law was broken, not trucked halfway across the country for the convenience of Uncle Sam.
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
22. Re:What happens now? by MarkvW · 2014-04-11 07:22 · Score: 1
  
  You WAY off base. It's sad that you have been modded up.
  Venue not objected-to in the trial court is WAIVED. That means it can't be raised for the first time on appeal.
  If it could, lawyer's would be sandbagging potential 'venue do-overs' all the time.
23. Re:What happens now? by phantomfive · 2014-04-11 07:32 · Score: 1
  
  I wasn't modded up, and you're right, I'm wrong.
  
  --
  "First they came for the slanderers and i said nothing."
24. Re:What happens now? by operagost · 2014-04-11 07:42 · Score: 1
  
  He did. The motion was denied.
  The judge in that case should probably be censured.
  
  --
  
  Gamingmuseum.com: Give your 3D accelerator a rest.
25. Re:What happens now? by Anonymous Coward · 2014-04-11 08:35 · Score: 0
  
  His lawyer should have protested the venue in the first place. That is my understanding of the situation.
  His lawyer did. The Fed's response was that of the ~120k emails on the list, 4,500 were owned by New Jersey residents. The original judge/jury let the location stand on those grounds.
26. Re:What happens now? by Anonymous Coward · 2014-04-11 13:49 · Score: 0
  
  State trial wouldn't work because of the interstate nature of the alleged crime.
Of course by Vermonter · 2014-04-11 05:22 · Score: 1, Troll

Of course they vacated his conviction based on the wrong venue instead of the merits of the case. This guarantees there is no controversy.
1. Re:Of course by Anonymous Coward · 2014-04-11 06:48 · Score: 0
  
  Venue is a threshold issue. The court has to consider it before they consider the merits of the case. If a court determines that venue is not proper, then the court rules based on venue and does not consider the merits. That's the way the US system works.
Interesting by Capt+James+McCarthy · 2014-04-11 05:22 · Score: 2, Interesting

I never understood this. If you break up a rape and beat the crap out of the perpetrator, you are hailed a hero. But expose flaws and you are a criminal. I suppose it's not the crime they are exposing, but the tactics to obtain the information then? So the question would be do the ends justify the means? That would apply to all things governmental/commercial I suppose.

--
There are no loopholes. It's either legal or it's not.
1. Re:Interesting by bunratty · 2014-04-11 05:49 · Score: 1
  
  You need to be very careful when doing security research. To expose a flaw in a security system, you often need to break the law, unless you have prior permission to expose flaws in a particular system. When I took Halderman's security class, he warned us that any student who broke the law would automatically get an F in his class.
  
  --
  What a fool believes, he sees, no wise man has the power to reason away.
2. Re:Interesting by sribe · 2014-04-11 05:50 · Score: 1
  
  If you break up a rape and beat the crap out of the perpetrator, you are hailed a hero.
  That depends entirely on locale. Some prosecutors would go after you for the assault.
3. Re:Interesting by American+Patent+Guy · 2014-04-11 05:52 · Score: 1
  
  Weev did more than expose the security flaw. He ran a scheme to collect the email addresses behind the flawed security scheme, and collected over 100K of them. If he (and his partner) had stopped when the security flaw was discovered, then there would not have been a crime committed.
4. Re:Interesting by NatasRevol · 2014-04-11 06:06 · Score: 1
  
  Sometimes, laws need to be broken.
  Read that any way you want.
  
  --
  There are two types of people in the world: Those who crave closure
5. Re:Interesting by Anonymous Coward · 2014-04-11 06:10 · Score: 0
  
  I never understood this. If you break up a rape and beat the crap out of the perpetrator, you are hailed a hero. But expose flaws and you are a criminal.
  As others have mentioned, he didn't just test an exploit and then inform AT&T, he ran the exploit repeatedly, gaining more personal information each time, and discussed how to profit most from the security breach before (eventually) deciding to just publicly release all the data.
  A more proper crime analogy is that you come home from work to find a stranger at the corner with a large sign informing everyone that your back window is unlocked, and you need more ketchup.
6. Re:Interesting by bunratty · 2014-04-11 06:11 · Score: 1
  
  I read that as saying that it's often the right thing to do to break the law. On the other hand, you can't expect no legal consequences because you did the right thing.
  
  --
  What a fool believes, he sees, no wise man has the power to reason away.
7. Re:Interesting by Solandri · 2014-04-11 06:12 · Score: 1
  
  To break up a rape, you you need to conduct assault and battery on the rapist. Things that are normally considered criminal, but not in the context of self-defense or defense of another.
  
  That's what's missing in the security front. If you're exposing the flaw in self-defense (your info is at risk) or defense of another (other people's info is at risk), you should be immunized against prosecution if you reveal the info in a reasonable manner. "Reasonable" can be defined in many ways, but probably something like notifying government regulators and the company fielding the security hole and giving them a month to do something about it, before going public with it.
8. Re:Interesting by Anonymous Coward · 2014-04-11 06:18 · Score: 0
  
  There was no crime as he didn't attempt or intend to use the information in an illegal way. Exactly what crime is supposed to have been committed?
9. Re:Interesting by NatasRevol · 2014-04-11 06:26 · Score: 1
  
  Often, the legal consequences are what makes it so obvious that the law should be broken.
  
  --
  There are two types of people in the world: Those who crave closure
10. Re:Interesting by Anonymous Coward · 2014-04-11 06:30 · Score: 0
  
  Weev did more than expose the security flaw. He ran a scheme to collect the email addresses behind the flawed security scheme, and collected over 100K of them. If he (and his partner) had stopped when the security flaw was discovered, then there would not have been a crime committed.
  So when a "real" security researcher goes far enough to create proof-of-concept code for a particualr violation, they're now committing a crime?
11. Re:Interesting by American+Patent+Guy · 2014-04-11 06:34 · Score: 1
  
  That's like arguing that a shoplifter took a knife, but didn't intend to stab anyone with it, so he's innocent. The illegal act was the collection of the email addresses that AT&T failed to properly protect.
  Think of it this way: AT&T had a security plan (a wall) to protect a collection of email addresses (a pot of gold coins), and AT&T failed to notice that there was a security flaw (a hole in the wall). If Weev walked up to the wall and declared there was a hole there, that would have been legal. What Weev did was to write a program that crawled through the hole that collected the coins. Weev didn't have a right to possess the email addresses, and they were within a security envelope.
  I'm not saying AT&T is guiltless here: I think they had a responsibility to their customers that they failed to meet. I'm not saying that I like this particular law. But under this law, Weev was apparently guilty.
12. Re:Interesting by American+Patent+Guy · 2014-04-11 06:39 · Score: 1
  
  I don't think so. (That would violate the 1st amendment, as in free speech.) The crime would lie in running that code.
13. Re:Interesting by Anonymous Coward · 2014-04-11 06:42 · Score: 0
  
  One count of identity fraud and one count of conspiracy to access a computer without authorization.
14. Re:Interesting by Anonymous Coward · 2014-04-11 07:01 · Score: 0
  
  The "break up a rape" analogy isn't correct. It was more like finding an area filled with helpless women that was secured by an unlocked gate. They went through the gate and shouted, "We could be raping you!" The issue, then is whether or not they are guilty of trespassing.
  In the case of "beat the crap out of the perpetrator", you may be prosecuted if the beating gratuitously exceeded what was reasonably necessary to stop the raping, although the DA may try to ignore your excesses.
15. Re:Interesting by MarkvW · 2014-04-11 07:40 · Score: 1
  
  It's more like writing an article in your local newspaper telling everyone who reads the paper just how they can steal all your neighbor's property without getting caught.
  At least that's my impression.
16. Re:Interesting by Anonymous Coward · 2014-04-11 07:44 · Score: 0
  
  If you break up... beat the crap out of the perpetrator, and the perpetrator was the son of a senator, you'll probably be arrested for assault of a poor innocent boy out with his friend. All a matter of who the other party knows. And AT&T knows a lot of the right people.
17. Re:Interesting by Anonymous Coward · 2014-04-11 08:27 · Score: 0
  
  If you break up a rape and beat the crap out of the perpetrator
  Bad analogy. He didn't break up a crime. He broke into the potential victim's house and threatened to rape her in order to demonstrate that someone else actually could. Try that and see where it gets you.
18. Re:Interesting by MouseTheLuckyDog · 2014-04-11 10:38 · Score: 1
  
  When I took Halderman's security class, he warned us that any student who broke the law would automatically get an F in his class.
  I think if you broke the law-- and he can't argue you broke the law unless you are convicted-- then getting an F is the least of your worries.
19. Re:Interesting by Anonymous Coward · 2014-04-11 11:46 · Score: 0
  
  When I took Halderman's security class, he warned us that any student who broke the law would automatically get an F in his class.
  I think if you broke the law-- and he can't argue you broke the law unless you are convicted-- then getting an F is the least of your worries.
  Don't be so sure about that. The NSA is doing the same thing breaking the laws.
  People can't argue against that fact, despite the repeated denials from their spokesmen.
  Yet they have not been convicted, so legitimization in our eyes depends on oversight that fails to act due to higher interests?
  Even without conviction, that the NSA is getting many an F. in people's view... isn't really changing things. Meaning, there are still no "least of your worries" from the NSA's perspective. I mean, nobody is seriously reviewing them via letter grades, or we'd have seen the thing shut down. Instead, they argue that the NSA's presence in this classroom is vital to the rest of the student's safety, even if they are a bully-type superhero, and unrefined like Will Smith's Hancock
20. Re:Interesting by Anonymous Coward · 2014-04-11 16:27 · Score: 0
  
  I never understood this. If you break up a rape and beat the crap out of the perpetrator, you are hailed a hero. But expose flaws and you are a criminal.
  Pushing your dick in because someone forgot to lock her window is not "exposing a flaw". Even if the victim thought it was her boyfriend.
21. Re:Interesting by adolf · 2014-04-11 17:21 · Score: 1
  
  I was actually waiting for someone to bring up a rape analogy. Your analogy fails.
  If you break up a rape, you've done two things: Witnessed wrongdoing and attempted (succeeded?) in stopping it.
  If you pen-test someone else's network, you've done none of these things. Where's the witnessed wrongdoing? Where's the stopping it?
  In the first case, of course you are (or should be) a hero. But to extend your analogy, in the latter case, you're done nothing more than check every girl you can find to see if she's rapable.
  Apples and ugly.
  
  --
  Kid-proof tablet..
22. Re:Interesting by Anonymous Coward · 2014-04-19 12:05 · Score: 0
  
  No idea if this will be read, but...
  I think it's more like finding a flaw in a window (specific model) that allows it to be opened when locked. Or perhaps a flaw in a lock used on people's doors. So, you test it on one door, and discover it works. So you go around to other buildings/houses and discover it works there too.
  I don't know all the details, but he probably should have stopped at the initial discovery. Or perhaps get a few friends to test it own their own. That way, the only violation of privacy he did, was on people who consented to it.
Not Odd At All by jratcliffe · 2014-04-11 05:27 · Score: 4, Insightful

"Oddly, the reason for the ruling was not based on the merits of the case, but on the venue in which he was tried (PDF)."
This isn't odd at all. If the venue was incorrect, then all the issues raised in the trial become irrelevant.
Think of it this way: if he'd been charged with "being a Mets fan," and the appeal was based on (a) there's no law against being a Mets fan, and (b) the evidence that he was a Mets fan (a cap) was obtained through an illegal search, then whether or not the search was illegal would be irrelevant - he had broken no law, so the "conviction" would be tossed out.
1. Re:Not Odd At All by Yebyen · 2014-04-11 05:39 · Score: 1
  
  ...except that the situation you just described is the opposite of what happened.
  The judges declined to give an opinion on whether or not any law was violated, they vacated the verdict in NJ because of a procedural violation that had taken place -- the venue the case was tried in was NJ, even though the events and parties (AT&T was not a plaintiff, so technically not a party... but the servers in question) were not any of them in NJ.
  
  --
  Restating the obvious since nineteen aught five.
2. Re:Not Odd At All by bruce_the_loon · 2014-04-11 05:45 · Score: 2
  
  An opinion on the law being violated was given in footnote 5 on page 12 of the judgement. It suggests he is not guilty of the charge.
  
  --
  Trying to become famous by taking photos. Visit my homepage please.
3. Re:Not Odd At All by jratcliffe · 2014-04-11 06:19 · Score: 1
  
  Bad example on my part, then. Point I was trying to get across is that, if there's a procedural reason to overturn a ruling, judges will always go that route rather than getting into the substance of the case, since the substance doesn't matter.
4. Re:Not Odd At All by Yebyen · 2014-04-11 06:19 · Score: 1
  
  It suggests (by way that no evidence was offered) that he is not guilty of unauthorized use of a code or password, which means he's not guilty of violating the precedent for the statute in NJ. It gives no opinion on whether or not this has any bearing on the federal charge under CFAA. The precedent cited is another NJ case, where the person on trial was a police officer who had a password and used it for reasons against internal policy. There was no password, but I believe the standards of the federal CFAA are actually much lower.
  
  --
  Restating the obvious since nineteen aught five.
5. Re:Not Odd At All by Yebyen · 2014-04-11 06:26 · Score: 1
  
  I'll try a car analogy. If you're trying to drive to New Jersey and you're starting your trip in Ireland, it's not important that you don't have EZPass or any American money to pay the tolls. There's too much water in your engine by the time you reach the shore, assuming you didn't just run out of gas on the bottom of the ocean. You didn't fail to pay the roadway tolls in Jersey, since you never were in the state of New Jersey. So you don't go to jail for that.
  
  --
  Restating the obvious since nineteen aught five.
6. Re:Not Odd At All by Anonymous Coward · 2014-04-11 06:32 · Score: 1
  
  "Oddly, the reason for the ruling was not based on the merits of the case, but on the venue in which he was tried (PDF)."
  This isn't odd at all. If the venue was incorrect, then all the issues raised in the trial become irrelevant.
  Think of it this way: if he'd been charged with "being a Mets fan," and the appeal was based on (a) there's no law against being a Mets fan, and (b) the evidence that he was a Mets fan (a cap) was obtained through an illegal search, then whether or not the search was illegal would be irrelevant - he had broken no law, so the "conviction" would be tossed out.
  It's a little more complicated than this. Part of the reason New Jersey was chosen is that they could tag a felony onto the case. So it would be like being charged for being a Mets fan, but you live in Arkansas, and the cap was found in Arkansas, but it's only a misdeanor in Arkasnas to be a Mets fan...so the trial was moved to Jersey where being a Mets fan is a felony.
I hope you don't work for the NSA... by American+Patent+Guy · 2014-04-11 05:43 · Score: 2

From the decision: "To be found guilty, the Government must prove that the defendant (1) intentionally (2) accessed without authorization (or exceeded authorized access to) a (3) protected computer and (4) thereby obtained information." I haven't read this particular law, but I doubt that it has a provision that gives blanket immunity to government agents/employees. The minute you step over the line of unauthorized access to a computer (assuming you don't have a warrant), you've just committed a crime.
Ooooooh ... where's my popcorn?!
Proper venue is a fundamental constitutional right by FuzzMaster · 2014-04-11 05:52 · Score: 0

From the opinion, the court got this part right:

“Though our nation has changed in ways which it is difficult to imagine that the Framers of the Constitution could have foreseen, the rights of criminal defendants which they sought to protect in the venue provisions of the Constitution are neither outdated nor outmoded.” ... Just as this was true when we decided Passodelis in 1980 — after the advent of railroad, express mail, the telegraph, the telephone, the automobile, air travel, and satellite communications — it remains true in today’s Internet age. For the forgoing reasons, we will reverse the District Court’s venue determination and vacate Auernheimer’s conviction.
Not Quite by Anonymous Coward · 2014-04-11 05:58 · Score: 1

What the appeals court said is that they could not rule on the merits of the case, as there were none. For them to rule on the merits of the case, it would have to have been properly tried. It wasn't, therefore, there are no merits at all. This is consistent with the "poisoned fruit" doctrine that leads all tainted evidence to be discarded due to having been obtained illegally, whether or not it's relevant.
Not just the Declaration by T.E.D. · 2014-04-11 06:25 · Score: 3, Interesting

He wasn't kidding in the slightest about venue being a big issue in our break with Britain. You can find the issue at least alluded to as a grievance in just about any pre-war document. My favorite is Franklin's sarcastic Rules by Which a Great Empire May Be Reduced to a Small One

This King, these Lords, and these Commons, who it seems are too remote from us to know us and feel for us, cannot take from us ... our Right of Trial by a Jury of our Neighbours. ... To annihilate this Comfort, ... let there be a formal Declaration of both Houses, that Opposition to your Edicts is Treason, and that Persons suspected of Treason in the Provinces may, according to some obsolete Law, be seized and sent to the Metropolis of the Empire for Trial; and pass an Act that those there charged with certain other Offences shall be sent away in Chains from their Friends and Country to be tried in the same Manner for Felony. Then erect a new Court of Inquisition among them, accompanied by an armed Force, with Instructions to transport all such suspected Persons, to be ruined by the Expence if they bring over Evidences to prove their Innocence, or be found guilty and hanged if they can’t afford it.

(emphasis his)
1. Re:Not just the Declaration by Livius · 2014-04-11 09:49 · Score: 1
  
  A wonderful ideal, but it did break down when a smuggler was tried with a jury of other smugglers.
2. Re:Not just the Declaration by T.E.D. · 2014-04-14 01:19 · Score: 1
  
  That was essentially England's argument in sending colonists over there for trial. Its tough to get a lot of convictions out of a colonial jury that thinks the law itself is stupid (and they had no say in it). Parliment also passed laws taking both the appointment and salaries of judges out of the hands of the colonies. That showed up as a grievance everywhere too.
Details on the exploit? by RyuuzakiTetsuya · 2014-04-11 06:26 · Score: 1

I've been trying to find some sort of write up on what was exploited and how it was found.
Does anyone know where to find any of this documentation?

--
Non impediti ratione cogitationus.
1. Re:Details on the exploit? by Anonymous Coward · 2014-04-11 06:38 · Score: 0
  
  Read the court of appeals reversal. It outlines what happened quite well.
2. Re:Details on the exploit? by FuzzMaster · 2014-04-11 06:44 · Score: 0
  
  It's very clearly explained in the opinion PDF linked in the summary.
3. Re:Details on the exploit? by PRMan · 2014-04-11 08:04 · Score: 4, Informative
  
  Basically, they tried to put an unlimited iPad SIM card in a PC. They disassembled the driver to find out how it authorized them and realized that there was no security, it just went to a hidden website. They went to the website and it didn't work but then they changed their agent string in their browser to impersonate an iPad. At that point, it showed him his account information. After that, they just incremented the number up and down and realized that it showed them EVERYONE'S account information.
  
  --
  Peter predicted that you would "deliberately forget" creation 2000 years ago...
Court of Appeals for the 3rd Circuit by Anonymous Coward · 2014-04-11 07:07 · Score: 0

Actually, it is the United States Court of Appeals for the 3rd Circuit. The District Courts are the federal trial courts, whose decisions the courts of Appeal review.
it wasnt an exploit by Anonymous Coward · 2014-04-11 07:43 · Score: 0

some dumbass put an email list in the web root, which weev found
I don't think he should have got 41 months by Stan92057 · 2014-04-11 08:59 · Score: 1

I don't think he should have got 41 months...that said he should get a hefty fine,community service. ATT should also receive a fine since they made the mistake of having the thing public when it shouldn't have been. It the kid a criminal i don't think so but he sure is an punk asshole jerk that took advantage of a mistake. You apologist need to rethink your values there was NO reason for the jackass to publish Innocent victims personal information. That is MO....im sticking to it.

--
Jack of all trades,master of none
Is It Unlawful To Increment A Number In A URL? by sk999 · 2014-04-11 12:07 · Score: 1

If so, then I committed an unlawful act today. Did a Google, search, and soon I was reading a pdf file of section 9 of some code, but it referred to section 10. How do locate section 10? Oh wait - just increment the section number in the URL by 1. Oops - Federal prosecutors knocking on my door, ready to haul me off to NJ for trial. Dang.
1. Re:Is It Unlawful To Increment A Number In A URL? by Anonymous Coward · 2014-04-11 15:31 · Score: 0
  
  If so, then I committed an unlawful act today. Did a Google, search, and soon I was reading a pdf file of section 9 of some code, but it referred to section 10. How do locate section 10? Oh wait - just increment the section number in the URL by 1. Oops - Federal prosecutors knocking on my door, ready to haul me off to NJ for trial. Dang.
  I've done that before too, looking for a manual and the link went to the wrong one. So I just changed the number of the pdf and got it
The question is unauthorized access by Anonymous Coward · 2014-04-11 12:07 · Score: 0

They were not logged in to a computer. Thus it's questionable whether repetitively trying different codes, and harvesting information in response, was gaining access. Further, no criminal intent was manifested in that the information was not exploited.
trespassing, not B&E by Anonymous Coward · 2014-04-11 12:41 · Score: 0

If I walk into your house through your front door, that's trespassing. If I break in, that's B&E.
The CFAA is widely understood to prohibit B&E, not trespassing.
Anyway, I think that sending HTTP queries should never be a crime, since that would make links riskier to click. Though, links to child porn are also illegal to click.
people get severely beaten for being in the wrong by Anonymous Coward · 2014-04-11 12:43 · Score: 0

the difference is Black privilege
or they could retry him this time for violating AT by Anonymous Coward · 2014-04-11 12:51 · Score: 0

like what happened in the Rodney King trial