Slashdot Mirror


'weev' Conviction Vacated

An anonymous reader writes "A few years back, Andrew 'weev' Auernheimer went public with a security vulnerability that made the personal information of 140,000 iPad owners available on AT&T's website. He was later sentenced to 41 months in prison for violating the Computer Fraud and Abuse Act (or because the government didn't understand his actions, depending on your viewpoint). Now, the Third U.S. District Court of Appeals has vacated weev's conviction. Oddly, the reason for the ruling was not based on the merits of the case, but on the venue in which he was tried (PDF). From the ruling: 'Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country's founding: venue. The proper place of colonial trials was so important to the founding generation that it was listed as a grievance in the Declaration of Independence.'"

6 of 148 comments (clear)

  1. To the point... by msauve · · Score: 5, Informative

    Spitler was in San Francisco, California and Auernheimer was in Fayetteville, Arkansas. The servers that they accessed were physically located in Dallas, Texas and Atlanta, Georgia. Although no evidence was presented regarding the location of the Gawker reporter, it is undisputed that he was not in New Jersey.

    He was indicted and tried in NJ, despite none of the involved parties being located there.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
    1. Re:To the point... by NatasRevol · · Score: 4, Informative

      Actually AT&T exposed the emails.

      --
      There are two types of people in the world: Those who crave closure
    2. Re:To the point... by Shakrai · · Score: 5, Informative

      Actually AT&T exposed the emails.

      After weev modified his user-agent to pass his browser off as an iPad, then wrote a script to throw millions of different ICC-ID codes at AT&T's servers, thereby tricking them into thinking that he was the AT&T customers whose e-mails were exposed.

      AT&T's "security" measures were woefully inadequate, but that doesn't change the fact that calculated and deliberate actions were required to obtain access to information that Mr. Auernheimer and Mr. Spitler knew they had no right to access. They both had the guilty mind (mens rea) required under our legal tradition to sustain a criminal conviction, breaking both the letter and the spirit of the law.

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    3. Re:To the point... by NatasRevol · · Score: 4, Informative

      'deliberate actions' don't meet the definition of illegal behavior though.

      They had to be 'accessed without authorization'. Sending different ICC-ID codes is NOT authorization. It's just a query. There was no actual authorization in place, and thus NO ACTUAL LAW WAS BROKEN.

      --
      There are two types of people in the world: Those who crave closure
  2. Re:Or in legal parlance by krlynch · · Score: 5, Informative

    Which is more officially the Doctrine of Constitutional Avoidance: http://en.wikipedia.org/wiki/C...

  3. Re:Details on the exploit? by PRMan · · Score: 4, Informative

    Basically, they tried to put an unlimited iPad SIM card in a PC. They disassembled the driver to find out how it authorized them and realized that there was no security, it just went to a hidden website. They went to the website and it didn't work but then they changed their agent string in their browser to impersonate an iPad. At that point, it showed him his account information. After that, they just incremented the number up and down and realized that it showed them EVERYONE'S account information.

    --
    Peter predicted that you would "deliberately forget" creation 2000 years ago...