'weev' Conviction Vacated
An anonymous reader writes "A few years back, Andrew 'weev' Auernheimer went public with a security vulnerability that made the personal information of 140,000 iPad owners available on AT&T's website. He was later sentenced to 41 months in prison for violating the Computer Fraud and Abuse Act (or because the government didn't understand his actions, depending on your viewpoint). Now, the Third U.S. District Court of Appeals has vacated weev's conviction. Oddly, the reason for the ruling was not based on the merits of the case, but on the venue in which he was tried (PDF). From the ruling: 'Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country's founding: venue. The proper place of colonial trials was so important to the founding generation that it was listed as a grievance in the Declaration of Independence.'"
He was indicted and tried in NJ, despite none of the involved parties being located there.
"National Security is the chief cause of national insecurity." - Celine's First Law
Not liking someone isn't a good enough reason to put them in jail.
Usually. For now.
My opinions are my own, and do not necessarily represent those of my employer.
They invoked the writ of Copus Outus.
From a practical standpoint, it depends on who doesn't like him.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
From Wikipedia: "Relief from judgment of a United States District Court is governed by Rule 60 of the Federal Rules of Civil Procedure.[1] The United States Court of Appeals for the Seventh Circuit noted that a vacated judgment "place[s] the parties in the position of no trial having taken place at all; thus a vacated judgment is of no further force or effect."[2] Thus, vacated judgments have no precedential effect.[3]"
That seems to say that he is now in a legal position as if the trial had never taken place. So can he be taken to court in the proper place now?
Of course they vacated his conviction based on the wrong venue instead of the merits of the case. This guarantees there is no controversy.
I never understood this. If you break up a rape and beat the crap out of the perpetrator, you are hailed a hero. But expose flaws and you are a criminal. I suppose it's not the crime they are exposing, but the tactics to obtain the information then? So the question would be do the ends justify the means? That would apply to all things governmental/commercial I suppose.
There are no loopholes. It's either legal or it's not.
"Oddly, the reason for the ruling was not based on the merits of the case, but on the venue in which he was tried (PDF)."
This isn't odd at all. If the venue was incorrect, then all the issues raised in the trial become irrelevant.
Think of it this way: if he'd been charged with "being a Mets fan," and the appeal was based on (a) there's no law against being a Mets fan, and (b) the evidence that he was a Mets fan (a cap) was obtained through an illegal search, then whether or not the search was illegal would be irrelevant - he had broken no law, so the "conviction" would be tossed out.
From the decision: "To be found guilty, the Government must prove that the defendant (1) intentionally (2) accessed without authorization (or exceeded authorized access to) a (3) protected computer and (4) thereby obtained information." I haven't read this particular law, but I doubt that it has a provision that gives blanket immunity to government agents/employees. The minute you step over the line of unauthorized access to a computer (assuming you don't have a warrant), you've just committed a crime.
Ooooooh ... where's my popcorn?!
Not liking someone isn't a good enough reason to put them in jail.
Then why are people in jail for smoking pot, or being in the wrong location while black?
People go to jail all the time just because some idiot with power didn't like them.
Not liking someone isn't a good enough reason to put them in jail.
He deserved to go to jail. Read the body of evidence against him. This wasn't a simple exposure of a security flaw in AT&T's website. He took deliberate actions to maximize the collection of information, bypassed security measures to obtain said information (that the security measures were woefully inadequate is beside the point, deliberate actions were required to bypass them), and discussed ways to use the obtained information for personal profit with his co-conspirator.
None of that is to suggest that I agree with dragging him halfway across the country, or even with the Feds getting involved in the first place. His home state (Arkansas) has a computer trespass statute that would have been sufficient to prosecute him under, or the Feds could have at least tried him in his own district. I suspect that the former is what may happen now, since double jeopardy won't apply to a State level prosecution, and if it shakes out fairly he'll get credit for the time served in Federal prison without additional jail/prison time being imposed. First time offender and a non-violent crime after all...
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
What the appeals court said is that they could not rule on the merits of the case, as there were none. For them to rule on the merits of the case, it would have to have been properly tried. It wasn't, therefore, there are no merits at all. This is consistent with the "poisoned fruit" doctrine that leads all tainted evidence to be discarded due to having been obtained illegally, whether or not it's relevant.
He didn't say it never happens. He said it isn't a good enough reason for it to happen.
Agreed - A/C's all look like they're at -1 to me anyhow . . .
yet doxxing someone and starting a campaign of threats isn't?
Non impediti ratione cogitationus.
This King, these Lords, and these Commons, who it seems are too remote from us to know us and feel for us, cannot take from us ... our Right of Trial by a Jury of our Neighbours. ... To annihilate this Comfort, ... let there be a formal Declaration of both Houses, that Opposition to your Edicts is Treason, and that Persons suspected of Treason in the Provinces may, according to some obsolete Law, be seized and sent to the Metropolis of the Empire for Trial; and pass an Act that those there charged with certain other Offences shall be sent away in Chains from their Friends and Country to be tried in the same Manner for Felony. Then erect a new Court of Inquisition among them, accompanied by an armed Force, with Instructions to transport all such suspected Persons, to be ruined by the Expence if they bring over Evidences to prove their Innocence, or be found guilty and hanged if they can’t afford it.
(emphasis his)
I've been trying to find some sort of write up on what was exploited and how it was found.
Does anyone know where to find any of this documentation?
Non impediti ratione cogitationus.
Sounds like you probably aren't from the southern U.S.
Then why are people in jail for smoking pot, or being in the wrong location while black?
Wait -- back up. You know that one of those two things is actually on-the-books against the law and the other is not, right? I hope. Please?
that the security measures were woefully inadequate is beside the point
On the contrary, we cannot have the law being abused to take the place of security. Too many people would fake the security and rely on the law to make it work. Too many are already doing exactly that. It's a costly and unreasonable burden upon the public. Pay for your own security. That includes designing a reasonable system, implementing it properly so that actually works, and performing tests and audits. Just because perfection is hard is no reason to excuse sloppy security work. DRM, for instance, fails the reasonability requirement. We have had our publicly funded police forces and courts misused to confiscate prescription drugs, improperly demand license fees from users rather than producers (SCO scared and bullied a few users into paying for a license to use Linux), and of course conduct a massive campaign to hold back technology in the name of stopping piracy. ISPs are pretty well free of being burdened with requirements to keep years and years of logs, for fishing expeditions, but there is still danger it could become the law.
It is also better not have doubt about whether some security effort was meant to be real but was bungled, or was indeed faked and, after being breached, is claimed to have been a real effort all along and therefore the breaches are worthy of prosecution. This is especially true on a system that is not experimental, but is instead an implementation of well known, effective methods. AT&T wasn't doing anything new, no, they just plain blew it. Saves us all a lot of time and money arguing over a pointless aside.
We even have cases of security law being gamed. We don't need someone setting up a honey pot to snare particular victims, then running to the law to complain that mean, bad people broke in, ask that the seeming perpetrators be thrown in prison, and kick back and watch as the full paranoia and wrath of the law is released upon their enemies.
Owners should install working locks on their doors and use them, not demand that the government spend enough money, no matter how much, to watch every door all the time because they can't be bothered to spend the trivial amount of money needed to have a working lock.
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
Thank you. I'll take the Score:5, but it wasn't meant to be funny.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
I don't think he should have got 41 months...that said he should get a hefty fine,community service. ATT should also receive a fine since they made the mistake of having the thing public when it shouldn't have been. It the kid a criminal i don't think so but he sure is an punk asshole jerk that took advantage of a mistake. You apologist need to rethink your values there was NO reason for the jackass to publish Innocent victims personal information. That is MO....im sticking to it.
Jack of all trades,master of none
If so, then I committed an unlawful act today. Did a Google, search, and soon I was reading a pdf file of section 9 of some code, but it referred to section 10. How do locate section 10? Oh wait - just increment the section number in the URL by 1. Oops - Federal prosecutors knocking on my door, ready to haul me off to NJ for trial. Dang.
How is the law being abused here? Go read the evidence in this case. AT&T set up a system that was designed to automatically populate an e-mail field for the convenience of their customers. They did this by matching two different variables, the user-agent of the iPad web browser and the ICC-ID number from the SIM card contained therein. Two people then discovered that they could fake both of those variables to obtain the personally identifiable information (PII) of AT&T customers. They did this in a deliberate manner while discussing ways of using the obtained information for profit, with ideas ranging from spamming (direct marketing ofiPad accessories to people who obviously owned iPads) to securities fraud (they floated the idea of shorting AT&T's stock when news of the security breech broke) to the enhancement of their own reputation (look how awesome of a security guy I am, I broke into AT&T, buy my consulting services!)
AT&T's failings are not really relevant here. The process of obtaining the PII was sufficiently complicated as to make it readily apparent that the information obtained was not for public consumption. No reasonable person would conclude that they were entitled to access the PII of AT&T's customers. No reasonable person would discover this security flaw then write a script to automate the collection process while exploring methods of using the obtained information for personal financial gain.
Your whole argument can be distilled to three words: Blame the victim.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
I'm a bit of a devil's advocate as I write this, but:
The law is already responsible for security. When I leave the cheap door locks on my house locked and the windows open (but locked, and because the weather is beautiful), and someone breaks in (by picking the lock, using a metal rod to bypass the locked window, a sledgehammer to knock the doorknob-lock off of the door, or just throwing a brick through the window), the crime is the same as if I had fancy Medeco deadbolts, high-security doors, wrought-iron security cages over the windows, a solid alarm system, and a well-trained attack dog: B&E.
The reason? As I understand it, it revolves around intent. I intend for my house to be secure, and therefore (in the eyes of the law) it is.
What makes electronic security different from physical security?
Kid-proof tablet..
Microsoft makes an especially good example of the results of ignoring security for convenience. Does AT&T deserve leniency and approval for trying to make life convenient? Not when they could have easily had the same convenience with real security.
Why should the law jump when AT&T whistles? Consider this scenario. Alice leaves the door to her business unlocked, and the lights on, and Steve observes this. Steve sends a fake invitation to Bob for an after hours party at Alice's business. Bob goes, and enters. For some extra fun, Steve also tells Bob where some food is, and that he should help himself to it. Alice throws a fit and calls the police. Now what? Obviously, it's overzealous to arrest Bob for trespassing and looting. The police might do so anyway, for several reasons. Maybe they have to follow a policy that emphasizes getting control of every situation as fast as possible, and so they burst in with guns drawn, scream at Bob and throw him to the floor, and tazer and handcuff him for good measure. Maybe Bob was stupid, should've been suspicious and knocked first, or not gone at all? But that's expecting a lot of Bob. If Alice had simply locked the doors, Bob would've been unable to walk in, and the entire incident would've come to nothing. Alice should shoulder some responsiblity for not making things as clear as easily possible to Bob. No, a "no trespassing" or "closed" sign with hours is not good enough, not when it is so easy to just lock the door. A locked door is the clearer, more universal message, and very easy to do. Not everyone reads the same language, and some can't read at all.
The process of obtaining the PII was sufficiently complicated as to make it readily apparent that the information obtained was not for public consumption.
No, it isn't safe to assume that. Add one more thing to the scenario above. Steve programs a web page to hide all the complexity, so that Bob can't readily tell he has stumbled into something private. Again, it is so easy to stop both Bob and Steve by just locking the door.
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"