Slashdot Mirror


'weev' Conviction Vacated

An anonymous reader writes "A few years back, Andrew 'weev' Auernheimer went public with a security vulnerability that made the personal information of 140,000 iPad owners available on AT&T's website. He was later sentenced to 41 months in prison for violating the Computer Fraud and Abuse Act (or because the government didn't understand his actions, depending on your viewpoint). Now, the Third U.S. District Court of Appeals has vacated weev's conviction. Oddly, the reason for the ruling was not based on the merits of the case, but on the venue in which he was tried (PDF). From the ruling: 'Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country's founding: venue. The proper place of colonial trials was so important to the founding generation that it was listed as a grievance in the Declaration of Independence.'"

12 of 148 comments (clear)

  1. To the point... by msauve · · Score: 5, Informative

    Spitler was in San Francisco, California and Auernheimer was in Fayetteville, Arkansas. The servers that they accessed were physically located in Dallas, Texas and Atlanta, Georgia. Although no evidence was presented regarding the location of the Gawker reporter, it is undisputed that he was not in New Jersey.

    He was indicted and tried in NJ, despite none of the involved parties being located there.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
    1. Re:To the point... by NatasRevol · · Score: 4, Informative

      Actually AT&T exposed the emails.

      --
      There are two types of people in the world: Those who crave closure
    2. Re:To the point... by Shakrai · · Score: 5, Informative

      Actually AT&T exposed the emails.

      After weev modified his user-agent to pass his browser off as an iPad, then wrote a script to throw millions of different ICC-ID codes at AT&T's servers, thereby tricking them into thinking that he was the AT&T customers whose e-mails were exposed.

      AT&T's "security" measures were woefully inadequate, but that doesn't change the fact that calculated and deliberate actions were required to obtain access to information that Mr. Auernheimer and Mr. Spitler knew they had no right to access. They both had the guilty mind (mens rea) required under our legal tradition to sustain a criminal conviction, breaking both the letter and the spirit of the law.

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    3. Re:To the point... by NatasRevol · · Score: 4, Informative

      'deliberate actions' don't meet the definition of illegal behavior though.

      They had to be 'accessed without authorization'. Sending different ICC-ID codes is NOT authorization. It's just a query. There was no actual authorization in place, and thus NO ACTUAL LAW WAS BROKEN.

      --
      There are two types of people in the world: Those who crave closure
    4. Re:To the point... by NatasRevol · · Score: 4, Interesting

      Well, not me, but the appeals court certainly did.
      This paragraphy is on page 10 of the ruling:

      The charged portion of the CFAA provides that
      “[w]hoever . . . intentionally accesses a computer without
      authorization or exceeds authorized access, and thereby
      obtains . . . information from any protected computer . . . shall
      be punished as provided in subsection (c) of this section.” 18
      U.S.C. 1030(a)(2)(C). To be found guilty, the Government
      must prove that the defendant (1) intentionally (2) access
      edwithout authorization (or exceeded authorized access to) a
      (3)protected computer and(4) thereby obtained information

      Then his paragraph is on page 12 of the ruling:

      Because neither Auernheimer nor his co-conspirator
      Spitler performed any “essential conduct element” of the
      underlying CFAA violation or any overt act in furtherance of
      the conspiracy in New Jersey, venue was improper on count
      one.

      I guess you're smarter than them.

      Also, if passing a phone identifier to a query of a web server could access all this information, is that really a 'protected computer'? I'd say no.

      --
      There are two types of people in the world: Those who crave closure
  2. Re:sad day for those who don't like 4chan trolls by bmajik · · Score: 4, Insightful

    Not liking someone isn't a good enough reason to put them in jail.

    Usually. For now.

    --
    My opinions are my own, and do not necessarily represent those of my employer.
  3. Or in legal parlance by korbulon · · Score: 4, Funny

    They invoked the writ of Copus Outus.

    1. Re:Or in legal parlance by krlynch · · Score: 5, Informative

      Which is more officially the Doctrine of Constitutional Avoidance: http://en.wikipedia.org/wiki/C...

  4. Re:sad day for those who don't like 4chan trolls by roc97007 · · Score: 5, Funny

    From a practical standpoint, it depends on who doesn't like him.

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
  5. What happens now? by gnasher719 · · Score: 4, Interesting

    From Wikipedia: "Relief from judgment of a United States District Court is governed by Rule 60 of the Federal Rules of Civil Procedure.[1] The United States Court of Appeals for the Seventh Circuit noted that a vacated judgment "place[s] the parties in the position of no trial having taken place at all; thus a vacated judgment is of no further force or effect."[2] Thus, vacated judgments have no precedential effect.[3]"

    That seems to say that he is now in a legal position as if the trial had never taken place. So can he be taken to court in the proper place now?

  6. Not Odd At All by jratcliffe · · Score: 4, Insightful

    "Oddly, the reason for the ruling was not based on the merits of the case, but on the venue in which he was tried (PDF)."

    This isn't odd at all. If the venue was incorrect, then all the issues raised in the trial become irrelevant.

    Think of it this way: if he'd been charged with "being a Mets fan," and the appeal was based on (a) there's no law against being a Mets fan, and (b) the evidence that he was a Mets fan (a cap) was obtained through an illegal search, then whether or not the search was illegal would be irrelevant - he had broken no law, so the "conviction" would be tossed out.

  7. Re:Details on the exploit? by PRMan · · Score: 4, Informative

    Basically, they tried to put an unlimited iPad SIM card in a PC. They disassembled the driver to find out how it authorized them and realized that there was no security, it just went to a hidden website. They went to the website and it didn't work but then they changed their agent string in their browser to impersonate an iPad. At that point, it showed him his account information. After that, they just incremented the number up and down and realized that it showed them EVERYONE'S account information.

    --
    Peter predicted that you would "deliberately forget" creation 2000 years ago...