I agree with the sentiment that computer use crimes need to be reworked, and that weev shouldn't have been hoisted by the fact he is a colossal dick but the article seems to gloss over things for the sake of the argument.
- `The spoofing was irrelevant; Spitler would have gotten the same email addresses if he had manually inputted the URLs on an iPad rather than a spoofed desktop browser.`, the spoofing is incredibly relevant, it's an important technical detail. Sure he could have sat and put each string in in a long laborious process, but they circumvented that and went straight to the faster option. Once they'd established there was a hole they could have stopped rather than going for the motherlode.
- `if there’s no technical barrier...`, there was a technical barrier, it was just very, very small.
Don't misunderstand me, AT&T are massive idiots for letting a security violation on that scale leak out into the wild, and they should't have been surprised for it to be discovered, but if you're doing live security research and find a hole is taking 114k email addresses a particularly good way to report it?
He certainly didn't deserve the ridiculous amount of time that he got, but he's not an innocent in this example by any stretch of the imagination.
It doesn't matter if they accessed one or a million - accessing information published on the web SHOULD NOT BE CRIMINAL.
Whether you agree with his methods or not, there is no stretch of the imagination that makes prison for downloading (even 114k of) them make sense.
It wasn't a hole or bug— it was an expressly implemented feature. ATT decided to do it this way to reduce resubscription friction. The iPad sends the sim serial (ICCID), and ATT sends the HTML form with the email address already filled in, so all the user has to do is enter the password.
As it turns out, ICCIDs are sequential integers.
It should always be perfectly legal to access a remote computer system via a publicly accessible interface. It's up to that remote system to respond appropriately. In this case, it was working exactly as ATT intended.
Weev knew that the greater the number of records he got, the worse it would reflect upon ATT, and rightfully so.
So, if somebody has SSH open on port 22, root password login enabled, and a root password of Pa$$w0rd, and I guess that and log in, should that be legal? If so, what about a more complex password? Should we legalise other remote attacks on systems?
It could very reasonably be argued that in the case of AT&T's system, device IDs count as passwords for accessing the system.
Simplifying things a little, there was an API, which looked somewhat like this:
GET http://example.com/get-email?device-id=123456
> example@example.com
Now, if we replaced that with some sort of bespoke raw socket interface that somebody would have to reverse-engineer:
What if I added a field named "password" which always had to be the same value, which was distributed to all devices?
What if it wasn't email addresses, but instead credit card data, or sensitive data such as your race, religion, sexuality, political leanings, medical information...?
I'm not attacking you, simply stating that in my opinion, it's not as simple as "if you can access it, it's public". There's an expectation of privacy for many types of data, especially when the data owner is not explicitly intending to publish the data.
Also, both SSH and HTTP have defined authentication mechanisms built into the protocol.
The HTTP spec has a response code, 403, for indicating that a request (potentially without authentication information) is unauthorized. SSH has a similar defined response.
If there's _no authentication around it_, I would argue that it's published to the public web, regardless of the protocol in use to deliver it.
The expectation of privacy covers the company, not the hacker who downloads the information. What differentiates hooking up an insecure, password-authentication-based system to the Internet, and leaving a plaintext copy of the data on a hard drive on a park bench somewhere? Holding companies responsible, and more responsible than hackers, would improve the state of computer security in short order (to everyone's benefit).
I would hold both responsible quite happily and independently of each other. AT&T obviously did not heed the user's expectation of privacy in this case - they could've done so using a challenge-response authentication system with the response algorithm protected by DRM on the iPad - but in addition, Weev could reasonably be expected to understand that this was not supposed to be public data.
Additionally, the expectation of privacy, in my opinion, covers the data owners (the people who gave the company the data), not the company who is merely holding and processing the data. Although the US has rather messed up data laws compared to the EU, so I am not sure whether this would be true over there.
As you can see all emails are accessible without a password, just a username. This is what was required to get the customers' data from AT&T, serial numbers which are by definition serial and obvious to predict, just like anyone visiting http://www.mailinator.com/ would punch in their own name to see what was there and then try some other people's names.
To make Weev's access illegal there must be at least some form of security like a password that he should circumvent. That would be illegal. Placing data accessible through usernames without passwords is not an obstacle or security measure and should NOT be criminalized because it weakens the law and makes anyone a criminal.
Ah, but AT&T did not publicise the endpoint in any way either, unlike Mailinator.
More to the point, users using Mailinator do not have an expectation of privacy regarding the data they gave Mailinator (or that they told other services to give Mailinator). This is, therefore, a different situation.
If I find someone's personal information in Mailinator, that is most likely because a user agreed to allow a service to send their personal information there. In most cases, I wouldn't have any reason to believe any of this data was not intended to be there, unless there were other clues.
In the case of the AT&T breach, two things lead me to believe that Weev violated the privacy of the users:
* It is quite unlikely that users intended to have their email addresses published to the public through this endpoint, and it can easily be shown that Weev understood that - he would not otherwise have chosen the course of action he took.
* AT&T have never publicised this endpoint.
I am not holding AT&T as the victim here, but rather the customers of AT&T whose data was breached. AT&T and Weev were equally complicit in the breach, and AT&T should be held separately responsible.
"It should always be perfectly legal to access a remote computer system via a publicly accessible interface.", no it shouldn't, no more than it should be legal for me to walk into your house if you've not locked the door.
The system worked exactly as AT&T intended, in circumstances they'd clearly not planned for. If they'd bothered doing a risk assessment they'd have spotted it, they took the lazy option and it didn't work.
Please stop with the physical analogies. Locks and doors and physical space have well defined ways of indicating "authorized" and "unauthorized". We also have a social contract about entering spaces of others, even if there are no locks at all.
The social contract of the web is that "you can send a request to any webserver on the internet without permission". That's how the web _works_.
It's up to that server, and nothing else, to be the final arbiter of authorized/unauthorized. You don't get to move the goalposts after the fact, saying "oh, well we didn't INTEND for you to use it that way".
That's putting the burden to avoid jail on to the requester, who is now responsible for making assumptions and inferring the intent of programmers/admins they've never met or communicated with. It's lunacy.
Physical analogies are perfectly appropriate in this context. Just because someone accidentally exposes a function via their website that divulges information that isn't supposed to be viewable doesn't mean it is ok. If I've never met someone in real life who left their door unlocked nor communicated with them before I rob them, just like the web, both are still illegal.
>The social contract of the web is that "you can send a request to any webserver on the internet without permission". That's how the web _works_.
DDoS'ing a bank website is against the law, but you are just sending a request to a webserver right? The law will disagree...Again it is all about context. If weev made one request to the website, noticed he was looking at data that he knew shouldn't be available to him, then quit, I'm sure he would be just fine right now. But since he didn't this is why he is in trouble. Again the law isn't binary (to the major dismay and hang wringing it causes on this website), so it is up to the law to determine intent. Was he doing this by accident and should be slapped on the wrist? Or was he doing this maliciously?
He was _absolutely_ doing this maliciously. It STILL SHOULD NOT BE CRIMINAL.
This is a fundamental misattribution of responsibility.
His intent was to defame AT&T as much as possible, using only factual information about their own (negligent) business decisions. This, too, should be legal (and I believe it is).
Why does it have to be either/or? Why can't both people be responsible? Why can't AT&T be civilly liable for leaving a gaping hole on their application, and whoever abused that information be criminally liable?
Incidentally, every time you blame AT&T for what happened, you tacitly acknowledge that wrongdoing actually occurred, which harms your argument that the data was "published".
(In the interest of combating the fundamental attribution error: I'm not happy with Aurnheimer receiving a custodial sentence for what was pretty obviously just another dumb prank. We probably agree that the sentencing component of CFAA is absurdly constructed.)
There were neither "people's credit card numbers" nor "publishing" in this instance. It seems like you're being intentionally confusing.
We're talking about a list of email addresses (which I don't think should be protected data in any way, they're just email addresses) and a journalist running a blacked-out screenshot of a dozen of them.
I think you know I'm not being intentionally confusing; that's not who I am. I'm responding to part of your comment. I'm not writing a brief against Auernheimer. The way you know that is, my comments have repeatedly agreed with yours that his sentence is unjust.
I'm responding to the zero-sum nature of your comment above, about how the company harboring the vulnerability should be the one penalized for security incidents. And all I'm saying is, there's no reason why we can't penalize both: companies, when they're negligent, and people who exploit that negligence.
Also: we both know there's more to the story with Auernheimer than simply sending material to journalists.
Once again, we probably agree that Auernheumer doesn't belong in prison over this particular incident. He was overcharged and oversentenced. But I find the exact philosophy that drives you to that conclusion challenging, which is why I called it out.
> Also: we both know there's more to the story with Auernheimer than simply sending material to journalists.
Uhh, excuse me? They discussed what could have been done maliciously with the data, and then DIDN'T DO ANY OF THOSE THINGS. I honestly don't know what else you're alluding to.
To answer your main point:
I figured it out yesterday. I believe that sending packets over the internet, of any kind, with any content, is protected speech.
We're allowed to say what we want. It's the responsibility of a listener to determine how they respond.
This is how the world works, and it should be how the internet works, too.
The kind where squabbles between two private parties are civil matters until and unless someone commits (or conspires to commit) an actual crime?
Particularly when the "harm" here is harm of reputation due the target's public actions? If I assemble a bunch of potentially-reputation-harming data on a public figure and post it on the internet with the clear intent of convincing people that public figure is incompetent, should that be an act that can get me landed in jail? Or is that speech?
Is the automated collection of that data really a thing that should be criminalized? Should it be criminal because or only when it includes identifying information of innocent bystanders?
Hypothetical scenario as an existence proof (not related to the situation currently at trial):
Suppose you're an investigative reporter. You regularly investigate a person or company that you feel gets away with too much, whose public actions always skate right on the line, and figure they must be doing something wrong. You feel vindictive about it because you haven't managed to find anything about them in the past. You fully intend to find something to report on that will cause their business harm; it's less about the story at this point, and more about you versus them. You find your story, you report on it (truthfully), and the result is serious enough that their business takes a major hit.
You had malicious intent to cause harm, and managed to cause the intended harm, and yet you've still done absolutely nothing wrong. (Remember that truth is an absolute defense against slander/libel accusations.)
Malicious intent to cause harm is frequently a necessary condition for a crime (leaving aside things like negligence), but never a sufficient one. You still have to do something inherently wrong.
In legal terms, see "mens rea" versus "actus reus".
Breaking into a computer system without permission by exploiting a security hole: generally a crime.
Accessing data made accessible to the general public: not wrong in the slightest, regardless of intent.
Changing your user-agent isn't exploiting a security hole (modulo changing it to ');drop table students;-- ), nor is automated access to a website (modulo DoSing). And embarrassing a company by showing that they made private user data publicly accessible definitely shouldn't be criminal.
>modulo changing it to ');drop table students;-- )
As an aside, about a year ago I made a simple web crawler that got (among other things) HTTP headers from all the servers it found. After an hour of crawling, I took the headers to start working on a parser for them, and found 7 attempts at an sql injection. Do I get to prosecute whoever set up those servers?
> What kind of reality do you live in where malicious intent to cause harm to someone or some group should not be a crime?
It depends somewhat on what you class as malice. Starting a business is usually a deliberate attempt to cause harm to competitors, and success at it may well cause thousands of people to lose their jobs, etc.
The world is simply becoming too complicated, all these "trajedy of the commons" type economics are blowing up in ways that are so harmful all over. I feel it is wrong for Weev to be in jail, the same way I feel it was wrong for max hardcore (paul little) to have went to jail, and so many others. I have been writing weev, he says he wishes more people will write him, it is very lonely in solitary confinement, in this complicated world, writing a letter to another human being seems the least I can do. I hope more people here do so too, even though I hated looking at all those goatse buttholes over the years and condemned the person who was doing that to me - LOL! I don't wish a human being to be locked up for years for what Weev has done.
Similarly, should the programmer(s) who implemented the feature (plus the staff who devised and approved it) be accused of reckless endangerment of the data?
Consider the 50+ doors the FBI broke down in response to operation payback, yet 0 prosecutions have occurred in the US. Before that happened it was widely speculated that ddos was not a crime in the united states, and that appears to have been defacto agreed to by the US Attorney in this case.
Unless someone actually profits or acts illegally with the data obtained from their unintended access I think you should essentially be given a pass - to the extent that I'd want such cases ruled invalid.
Otherwise we end up in the bad situation of having a law which is going to be applied very unevenly, which opens it wide up to corruption.
>>Please stop with the physical analogies. Locks and doors and physical space have well defined ways of indicating "authorized" and "unauthorized". We also have a social contract about entering spaces of others, even if there are no locks at all.
The social contract of the web is that "you can send a request to any webserver on the internet without permission". That's how the web _works_.
--
Physical analogies may have their limitations when describing the web.
That said, weev KNEW for a fact that he was accessing information that should not have been public.
In other words, he KNEW that he was walking into someone's unlocked house.
Furthermore, he BRAGGED about rubbing it in AT&T's face, and wanting to cause as much damage as possible. He had malicious intent.
So no, his trespassing was not unintended. He didn't happen to just accidentally grab a bunch of email addresses from some web server he sent requests to randomly.
True, even Wozniak has recently said he doesn't like what the USA has become, that it is like former communist russia or stassi germany, and ever since the patriot act we have really been hosed, I wonder if the Woz can help do anything for WEEV personally if he really feels this way (it was apple ipad devices involved with this right?)
> Furthermore, he BRAGGED about rubbing it in AT&T's face, and wanting to cause as much damage as possible. He had malicious intent.
Malicious intent is not criminal.
> That said, weev KNEW for a fact that he was accessing information that should not have been public.
It is massively unfair to put the burden of inferring the intention of a remote system onto the requester.
In fact, he could not have known that he was accessing information that should not have been public (as you claim), because ATT expressly configured their systems to MAKE IT PUBLIC. It wasn't an accident or misconfiguration. Your basic premise doesn't hold up, and neither does the silly physical "unlocked house" analogy.
An unlocked house implies there are locks and doors present, neither of which were in this case.
It's not trespassing, and just because it's non-random doesn't make it criminal.
"Please stop with the physical analogies.", weev relied on one during his defence, so they're fair game.
The social contract of the web is usurped by the legal contract of society, whether or not the way the legal framework is being applied in a just and fair manner is certainly up for debate.
And honestly can you say, hand on heart, that the intention of the AT&T developers was to purposefully leave that hole there? That'd be lunacy. Clearly it's a mistake, an 'oh crap, we didn't think of that'.
Upon going to the wireless account management webpage on the iPad, it would already have the email address last associated with that ICCID (sim card) filled in in the form input element, so that the user would only have to type in their password, and not the email address as well.
It was an express design decision to reduce the number of steps taken by a user to reactivate service. They explicitly chose to weaken the authentication system to increase convenience, and didn't want to do credential management, so they just used the sequential integer ICCID to fetch the email address last associated with that SIM.
Afterward, they said "oh, well, we didn't INTEND for you to use it that way", despite the fact that this is very obviously gross negligence.
It's not a hole - it's a feature they chose to implement.
The bad law that lets anyone, retroactively, define "unauthorized access" by their own attitudes and whims, is the problem here.
But by that logic, any kind of malicious web activity should be allowed. Once you remove all the abstractions, any kind of attack is just computers behaving how they've been instructed to. An injection attack is only a server processing a particularly strange request.
Don't plug shit into the internet you don't understand.
If that's a problem for you, hire someone who does understand it before you do.
I have no problem with complete deregulation of the exchange of information over the internet, as it's impossible to use violence to force anyone to do anything via an ethernet cable.
It's impossible for a packet to be the root cause of harm coming to another.
Negligence or recklessness when attaching not-fully-understood systems to the Internet, on the other hand, should expose people to liability when the personal information stored in those systems is publicized. The fundamental cause is "idiots plugged in a server without suitable authentication", not "somebody across the world sent it some electrons".
It is crystal-clear to me that all packet transmission should be protected speech, including buffer overflows and other so-called "malicious" traffic.
Just because it's obvious to you (because you are willing to make an assumption) what is malicious and what is not, that doesn't mean that it's anything resembling fair to force others to make those assumptions to avoid criminal liability.
The full text of War and Peace could be "malicious" traffic when sent to a machine that stupidly copies it into a fixed-size buffer. This is not a job for the law to decide. It's a blunt instrument.
(There's also the issue of the stupidity of allowing the receiver to retroactively declare "oh, that was not intended, and thus unauthorized".)
The responsibility must always lie with those who interpret the traffic, not those who send it.
If you want to use a physical analogy, it would be more like I invite you into my home, then shoot you because you stepped in a spot that I didn't like.
Really? So if you have a device that checks your email on gmail this is an invitation to browse any mailboxes stored on gmail? I have such device, you wouldn't mind me reading your gmail mailbox, right? Or would you?
>It should always be perfectly legal to access a remote computer system via a publicly accessible interface. It's up to that remote system to respond appropriately. In this case, it was working exactly as ATT intended.
The law can never be this black and white, it is all about context. Just because you may somehow access something on the web, doesn't mean it is automatically ok to do so.
You're right, the law can't. That's why we should let the final verdict for authorized/unauthorized lie IN THE CODE DEPLOYED BY THE OWNER, not the law (or the owner's retroactive statements).
It's pretty simple, really. This would be a non-issue if you programmed your cyborg to go pick up milk from the store and it started handing out $20s to strangers in the dairy aisle. Obviously that's no fault but your own.
Why is it different for a webserver?
It is massively unfair to expect someone to make assumptions about the intent of a remote system, programmed, configured, and deployed by people they have never met or communicated with, in order to avoid criminal liability.
I'm not sure what the problem is here. It seems like simple common sense to me.
So if a bank accidentally deposits $1bn in your account, that becomes yours? You're looking for a simple answer to a nuanced issue where one just doesn't exist.
That example is not at all the same as what's being discussed. The issue at hand is whether access to a public URL is authorized and who is responsible for determining that authorization.
Actually the analogy is OK, the interpretation is wrong. If you disagree with sneak you're saying the account holder should be prosecuted!
Claiming ownership of the money would be like weev selling the email list to spammers, which he didn't. What he did was reveal the defect - like the acoount-holder reporting the mis-deposit.
> That's why we should let the final verdict for authorized/unauthorized lie IN THE CODE DEPLOYED BY THE OWNER, not the law
I'm surprised to see this much victim blaming from such a passionate defender of personal liberties.
There is a stark difference between "AT&T deliberately decided to allow public access through this URL" and "AT&T improperly coded the authentication scheme for this URL".
From the outside the end result would be indistinguishable, which is why your binary logic can't be used in general. If we had it your way the only choice a potential victim would be legally allowed to ever make is "as strong a technical control as available (and don't screw it up, otherwise it's your fault)".
The only victims here are the people whose data ATT negligently mishandled, and even those are just civil claims.
ATT's reputational damage was earned, and was the consequence of facts that were disclosed about their terrible customer data handling practices.
There's nothing criminal at all at any point here. Even what ATT did was shitty, and they should probably get sued for being so careless and negligent, but no crimes were committed by anyone at any point along this chain.
That first sentence doesn't make sense. If a merchant screws up and manages to post a flat ASCII text file of credit card accounts with CVV numbers on a URL in a directory with an Apache index enabled, your argument says "well, sucks for the merchant and all their customers".
There are clearly cases where the mere fact that someone has left something somehow exposed to a web browser does not connote authorization to access it. Those are the cases where a reasonable person, seeing what the data is after stumbling across it, would understand the exposure to have been a mistake, and not an authorization.
I think the parent comment's first sentence makes sense -- simply accessing that information shouldn't be a crime. But if you then make a copy and either use or distribute that information illegally, that's something different.
To be clear, that's exactly what Weev did -- accessing AND keeping a copy for himself. But I think the parent comment's argument is talking specifically about access.
Creating a precedent where a "reasonable person" is expected to "understand" that the exposure was a mistake would create a huge legal gray area. Anything that's available on the public internet should be perfectly legal to access. What people do with that content is a different matter.
The law is full of judgements based on the actions of a "reasonable person". And, I agree with your first paragraph, but then, so does the CFAA; CFAA doesn't define a strict-liability crime.
If a merchant screws up and manages to post a flat ASCII text file of credit card accounts with CVV numbers on a URL in a directory with an Apache index enabled, your argument says "well, sucks for the merchant and all their customers".
Since that would be a clear and basic PCI violation, yeah, it sucks for the merchant and their customers. Why have PCI compliance at all if the merchant can just throw up their hands and blame it on "hackers?"
No, because then the collateral damage is everyone misidentified as a "hacker" because prosecutors don't know the difference between criminal actions and not because the internet is confusing to everyone who hasn't spent the last two decades staring at the underbelly. Also, prosecutors default to "criminal" because their job is to deal with criminals all day (c.f. aaronsw).
It's unreasonable for us to expect the legislature to get this right. Nothing here is criminal.
The criminal justice system deals with fraud in more complicated settings than computer hacking. For instance, it convicted ADM executives for price-fixing lysine. I don't recall anyone being up in arms at the time about how the prosecutors didn't fully understand the lysine industry.
True when you say that there can be data left out in public by mistake without public access authorization. However it is not the responsibility of the accessing entity to preserve this data private.
An analogy is if your bank left your money easily accessible on a table in front of the bank without security. We are used to the idea of ownership, but this issue is a matter of blame. Here AT&T is the one to blame for the lack of security, not someone who saw that AT&T lacks security.
Back to the bank analogy, it is not the public's duty to guard your money for the bank. Nor should someone else be jailed for money literally left outside on the table.
This is, literally, an argument that if you stumble across a text file full of credit card numbers, expiration dates, and CVV codes, it should be lawful for you to put it up on Pastebin.
What law would cover that, some implied duty to help protect something that could be intended to be kept secret? I'm pretty sure that duty doesn't exist.
"This is, literally, an argument that if you stumble across a text file full of credit card numbers, expiration dates, and CVV codes, it should be lawful for you to put it up on Pastebin."
Which, when carders are caught on forums doing the above, they are charged with wire fraud.
I agree with you completely that I don't think Weev's acts were wire fraud.
My impression is that the Pastebin'ed CC# example does not provide the charge, but evidence that helps prosecute the fraud through which they were acquired.
I'll walk back calling it a "textbook example" (because I suppose ultimately it's probably up to the quality of the lawyers involved), but the part of 18 USC 1343 that I think would be argued by the prosecution in the "pastebin cc numbers example" is:
"...or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice..."
I think the government would have a relatively easy time arguing that posting people's credit card information (specifically all the data necessary to make use of that person's funds) is a scheme for "obtaining money or property by means of false or fraudulent pretenses".
The defendant's attorney might argue that just posting the information isn't itself a scheme (in the same way that say, listing the home addresses of members of rival ethnic groups over the radio in Rwanda isn't an incitement to violence), but if I were that defendant, I wouldn't be sleeping easy.
We already have laws to prosecute people who misuse credit card numbers for gain. Either attack the edge (ppl who use the cc nums for fraud) or the root (the people who posted them on the public web).
Yeah but I was trying to show that the true problem was AT&T's negligence and not Weev pointing it out to the people. Probably not the most perfect analogy, but analogies have limits of expression.
Even if you left the door of your house open, it wouldn't be legal for me to go inside and take your TV in protest.
Frankly, you're just torturing some unclearly defined terms ("Information Published on the Web", or "Expressly Designed Feature", or "it's up to a Remote System to respond appropiately") to make a point. Thing is, most of those terms are not legal, well defined terms; and when they are, your interpretation is lacking. You'd have a hard time convincing any judge that a company expressly desired to publish email directions of all of their customers, via some opaque and undocumented URL manipulation.
Disclaimer: I don't agree with weev's conviction, and some of its aspects are outrageous ("conspiracy to access a computer without authorization"?). But this "it was public information" angle is just bullshit. It's just badly reasoned.
>>> It doesn't matter if they accessed one or a million - accessing information published on the web SHOULD NOT BE CRIMINAL.
By this logic, any information stored on any computer accessible via the Internet is published, so no unauthorized access to any data not behind an air gap is illegal. Including breaking into your private mailbox or your online banking account. I don't think I'd be ready to accept this. Are you?
The NSA palantir types sure seem to think anything on any computer is free game - LOL! Email, phones, banks yah? Shouldn't things be just the opposite of how they are according to the founding fathers, the government types that hack us should be held to a FAR HIGHER standard than some arkansas boy like WEEV, yet they do worse, and get hookers in south america and lots of parties, while weev rots in jail for 4 years, something doesn't seem right to me about that situation.
If he were guessing passwords jail time might be appropriate.
It's fucking ridiculous that changing the user agent, even to circumvent server "protections", would be a crime worthy of any jail time whatsoever. What is he guilty of? Criminal misrepresentation of web browser?
There's certainly a fairly well culturally established method of dealing with holes in corporate internet security which Weev did not follow in this case.
However as a third person it's also useful for me to know the scope of this hole and how liable my own information was. Weev here is guilty of exactly the same reasoning that AT&T realised in court which is that a message is irrelevant without impact. And which has more impact: an article about how a vulnerability in AT&T security could have resulted in some leaked emails or an article about 114 000 potentially leaked email addresses?
The question is after hearing AT&T prosecute Spitler for discovering such a simple security hole (it could have been a lot more complex) would you feel safe disclosing any security hole even with the best intentions?
The answer is obviously no and if you can't make it public without risking being sent to prison the only option is selling it to some shady spammers.
Which would you prefer happened? From my point of view what they are doing is basically pushing the hackers to the "dark side".
If we disclose it we get arrested if we sell it we might get caught and arrested or make a lot of money. I'll take option 2.
Yes I would, but I'd follow the standard responsible disclosure rules that are fairly common place. As far as the information that's been presented makes out, there was no responsible disclosure. In fact, weev attempted to say they were going down that route whilst at the same time discussing on irc how they could use the information for fairly black hat purposes.
I think the industry basically needs to take the informal responsible disclosure rules and try and get them made a bit more formal, for everyones benefit.
One of the ongoing issues in the security industry is that there is no standardized form of disclosure. There are frameworks that have been put together, but only some companies embrace them. Other companies are openly hostile towards any solution that doesn't leave the power entirely in their own hands. Basically, many large companies feel that the public should remain uninformed, which then leaves the company free to keep producing insecure software.
Which is why I think there should be some attempt at a formal body, the EFF is in the right place to spearhead an attempt at implementing something along those lines.
Looks like proof of concept to me. The test in my mind is what gets done with those 114k addresses. Did they get leaked? No -- and the company was notified of the breech? No harm, no foul.
* "AT&T representative testified its reputation suffered as a result of the hack"
No, their reputation suffered, because they were incompetent. Ironically, without this trial I would have never heard about this.
* "At sentencing, instead of hearing about the effects of the iPad “hack,” the government recounted in detail Weev’s “attitudes” towards others on the internet."
That is because of the adversarial legal system in the US. All that matters is to sway an uninformed jury. The specific matter of the case is almost irrelevant as long as the jury comes to a "guilty" verdict.
Lastly, this reminds of a civil version of the current Snowden debacle: Attempt to prosecute anybody who reveals wrong doing or incompetence.
I was a witness for a trial once and it's kinda bizzare. After all of the lawyers speeches and questions and explanations of the law - in the end it just boils down to how 12 random people feel about it. I left with the feeling that the process is fair only in the sense that it is equally random and unfair to everyone.
If the prosecutor is able to make you seem unlikable, or you do it to yourself, you most definitely increase your risk of being convicted. Mr. Auernheimer strikes me as somebody who enjoys being shocking and perhaps unlikable in the traditional sense, which is not an ideal situation in court.
I don't think I go as far as others here. I am not sure an open door is an invitation to dig through someone's diary; that is, even if someone is incompetent in managing their security, there should probably still be a point at which abusing that crosses a line - though I am very open to discussing just where that point is (and some liability should certainly still sit with those who deployed an insecure system).
All of that said, I wholeheartedly agree that damage to reputation (where such damage comes only from revelation of the insecurity) is the fault of the people failing to live up to their reputation, not those exposing the reality of it.
It would be a violation of privacy to sit down and read it through. Whether this should be legally actionable (as opposed to just socially) is another question, of course, but nevertheless.
I, for one like Weev. He is a boundary pusher. Many even around here on hn might perceive his stuff as tasteless. But I sincerely wished more people were as dedicated to their "ideals" as Weev is.
Defending free speech means standing up for people who have controversial views - no matter how unease you personally are with these views.
Definitely. Free speech stands or falls on the most offensive speech.
It's easy to support free speech when all you say or hear is motherhood and apple pie. It's the things that make people uncomfortable that need protection from censorship.
I was thinking more about things that make people emotionally uncomfortable, rather than real-life trolling that has the potential to trigger a life-threatening stampede to the exits.
Unfortunately, a big part of "what he believes in" is (to use his words) "make people afraid for their lives" and of course, "ruin lives for lulz". So, yeah, I agree he is willing to be quite bold in standing up for his right to ruin.
That said, as much as I desperately want to see him behind bars for the things he has done, this AT&T conviction horrifies me, and I hope for all of our sakes he wins this appeal. And he has been right about one thing -- this IS about "embarrassing a big company". Because no law enforcement agency is willing to pursue the actual crimes he has committed against powerless individuals... the things he does to people as part of his "performance art".
I have tried every way possible to justify his current conviction and sentencing. But I can't. I support #freeweev but I sure as hell don't support weev. And until/unless you and your family have been victimized by his "work", you really have no idea what he is capable of or truly believes in.
-- Kathy Sierra
He claims they tried to frame him 5 times for terrorism, yet I can't find any articles which details what happened. Is there any solid evidence of this, or is it mainly speculation?
Also, if you're already on the FBI's radar, wouldn't you think it be smarter to lay low and wait until things cool down before you start hacking again?
Depending on which list you are talking about, there are tens of thousands, hundreds of thousands, or millions of Americans on "The List." You might be one.
If you're already familiar with the background of the case, for the meat of the argument on appeal, skip to p. 15 (26th page of the PDF), starting with "Summary of Argument". That section lays out the five objections being raised on appeal, and is then followed by five sections making the detailed arguments.
A link to the Craigslist vs. 3Taps spat in this article brought back memories. Craigslist had also threatened me with a C&D letter suggesting they'd use the CFAA to lock me up. I contacted the EFF who promptly told me to go screw...
I assumed that was because Craig is on the board of advisers and CL was a major sponsor. I'm glad to see they're finally helping someone against the giant internet bully that is CL.
so here's the solution.
1) Make a website called "freeweev.com" or something
2) Put some legal mumbojumbo at the bottom of the site that says something about unauthorized usage of this website is a crime.
3) Make the post-signup page URL look something like this:
http://freeweev.com/?id=12
That simply says "Your email: ...@gmail.com will be updated when we have info on the case. Thanks for your interest"
4) Let people "find this"
5) Get lots of people to report on the problem
6) Fix the problem after the press gets it
7) Freeweev.com takes everyone to criminal court under CFAA. No lawyers necessary, just tell the Judge that there appears to be no difference in these cases as the AT&T case, all of these people that hacked our site should go to jail for 41 months.
Also make sure that this involves MANY people.
8) Legal breakdown, no software development for anyone (like the screen-writers strike right?)
What a useless article. Jury found weev guilty already, and now they're filing an appeal. No word on when the appeal will be heard, just 1,000 words to fill up that lack of information, combined with linkbait headline.
What if doing so killed a person for each ID at showdocument? Ok, that's pretty absurd. What if it wiped out their bank account?
Don't you think that the consequences should depend on what the action actually accomplished, rather than the action itself? Flicking a lighter is generally pretty innocuous, but if done to light a house on fire, it means it's a bit different - right?
Yes, it's their fault too for leaving it open, but you had a choice when you decided to access it N000 times, rather than saying "oops, that does something bad, I think I'll stop".
I don't think the punishment fits the crime in this case, but I don't think he's entirely innocent either. Once you've shown that someone stupidly left their door open, the polite thing is to let them know, rather than walking around in their house looking at all their things to show them the error of their ways. IMO a fine would more than suffice as a punishment, though.
"What if doing so killed a person for each ID at showdocument? Ok, that's pretty absurd. What if it wiped out their bank account?"
Shouldn't you hold the people who created that system responsible, rather than the person who used it? If I rig up my cell phone to a gun, so that every time someone calls it it shoots at a crowd of people, should the people who call it go to prison while I walk free?
(a) Even altering a parameter once in the address could be considered illegal under the current laws.
(b) The access of information in and of itself would not be illegal alone. Say I kept a bunch of people's information in paper files in file cabinets. Then I gave you access to retrieve yours from the file drawer yourself. It is sleazy, but not necessarily illegal to look at other files in the drawer, as I have given you access to their container.
(c) Even if you want to make the action in (b) illegal, the reasonable punishment is almost certainly not a double digit prison sentence.
> Why are we acting like AT&T is an innocent victim?
No one here is. I'm not sure why no one has done anything to them, legally. It'd be interesting if someone who actually knows what they're talking about in terms of the legal system about could comment on it.
This analogy has been flawed from the beginning, but to extend it just for the fun of it, that's like pulling the trigger of a gun and then blaming the gun for having the mechanics to turn that trigger pull into a fired bullet that kills someone. The action being done is on your end, and the system, though possibly flawed, is not the cause of the results. It may be a factor and it may enable those results, but the actor is the cause in that situation.
I honestly don't even know where I stand on the actual discussion point, but I do know where I stand in the weird analogy tree we've made.
It is more like blaming the owner of the gun, who loaded the gun, aimed it, set up the shot, and then left it up to the trigger man whether or not to pull the trigger.
Bringing things back to reality here, AT&T was entrusted with personal information but failed to properly secure it. They set up a system that automatically responded to requests for personal information. They gave unauthorized people access to that system. We should be blaming AT&T and making them pay punitive damages for their irresponsible behavior, not whining about how terrible Weev is for using the system they gave him access to. The fact that AT&T can just shrug it off is what allows the sorry state of security to persist.
GET method should be Safe ( and Idempotent). The implementation is not respecting the RFC 2616.
The RFC says at the point 9.1.1 that: "Naturally, it is not possible to ensure that the server does not generate side-effects as a result of performing a GET request; in fact, some dynamic resources consider that a feature. The important distinction here is that the user did not request the effects, so therefore cannot be held accountable for them."
That would be a crime, because then the email addresses would've been "possessed" or "transferred" "in connection with" another distinct and separate crime.
But giving them to a responsible journalist for whistle-blowing purposes is not a crime. It's a public service.
Yes, because organizations that use simple password-based authentication to secure important things (bank accounts, private messages, etc.) should be held responsible for the outcomes of such attacks. In such a world the state of computer security would not be so pitiful.
You and sneak seem to be proposing a legal regime under which no "hacking" of any kind is illegal. If the system will perform action B given request A, issuing request A, no matter the intent, cannot be a crime?
If I'm missing an important distinction you'd make, I'd very much like to hear what it is.
I would prefer if the system punished people for what they did with their access to data, not simply for having that access; organizations that hold private or sensitive information should be punished if unauthorized people can access it by any means. Having email addresses or credit card numbers should not be the crime, regardless of how you obtained that information. Committing credit card fraud or selling credit card information to other unauthorized people should be crimes (or failing to secure your computer where you store said information).
So Weev should not be punished for downloading the email addresses. AT&T should be punished for making the list available to him (and likewise, if Weev made the list available to others, he should be punished for that).
Apologies for crossing threads, but aren't you pretty upset that the NSA simply has Verizon phone records, despite a lack of evidence they're planning on doing anything nefarious with them?
Anyway, as I understand it, weev did speculate about selling the information. And would you be so sanguine if this were health records or private photographs? I'm not seeing a plausible guiding principle here.
We hold the government to a different standard. I am free to forbid atheists from entering my home, and nobody can complain about it beyond calling me an asshole. The government cannot ban atheists from its buildings. Many people have pointed out that the NSA was collecting information that privacy industry already had -- yet we are still angry about the NSA having it.
I also draw a line between what makes me upset and what should be a crime. I do not think that everything that makes me upset should be illegal. Frankly, while I would be angry at Weev if he downloaded hospital records, I would be much more angry at the hospital that failed to secure those records. I believe that the law should draw the line at how the information is secured and how it is used, not how it is obtained.
@betterunix-- seriously? It's OK with you if they get your private data, no matter how they acquire it? Spoken like someone who has never had exposure of private data used as a THREAT... something weev is known for. If someone uses illegal means to obtain your private data, they can exploit/weaponize that acquisition without having to then use the private data to commit a different crime. (different from the crime -- usually fraud -- in how they obtained it).
Weev has taught many of us that acquiring your private data is enough to make you wonder when, exactly, he will decide to use it. Or in my case, to publish it and encourage the whole WORLD to use it. And don't get me started on medical records... If you honestly believe that acquiring private data shouldn't be illegal until it is used in a crime, you have obviously never been threatened with exposure from someone who did just that. (but again, I don't think this applies to the AT&T case) -- Kathy Sierra
Blackmail and harassment are both crimes, you know. If someone is threatening to expose your private data, it makes no difference how they acquired it -- it is a crime regardless of whether or not they were authorized to have it.
The problem with charging hackers for having information they are not supposed to have is that it takes the responsibility to keep data secure away from those who are entrusted with it. Take medical records as an example. Yes, we want them to be kept private, but that should be the responsibility of hospitals, doctors, etc. If some hacker downloads those files, the hospital should be punished for their failure to keep the files secure. If we want to believe that hackers are magicians and that any Internet-connected system can be compromised, don't connect systems with medical records to the Internet.
What is wrong with making it the responsibility of anyone who has private information to keep that information private? If a hacker downloads a hospital's records, I think it is fair to expect that hacker to keep those records private, and to prosecute the hacker if they are revealed to anyone for any reason (even if the hacker is himself a victim of another hacker).
People should not have to be afraid to run a web crawler out of their own house. Yes, a web crawler is going to find private information that was not properly secured. That should not make the person running the crawler a criminal.
Hacking as a crime is almost entirely an economic crime. So it is pretty easy to distinguish hacking that deserves to be a felony from hacking that, at worst, should be a low-grade misdemeanor, by requiring actual profit for the criminal or actual loss from loss of data or exploitation of data acquired by hacking (not what it costs to fix incompetent security).
We know how to stop brute force attacks; we have known for years how to stop them. I see brute force attacks on my SSH servers all the time, and I ignore them. I am comfortable ignoring brute force attacks because I do not allow password authentication at all. The attacker would have to try to guess one of the users' secret keys -- and that is beyond just a long shot.
So why have we not deployed this "amazing" technology, or similar technology, everywhere? A lack of incentive. If a hacker successfully carries out a brute force attack, the company running the systems does not suffer at all; they just pass it off as "some dark wizard hacker pwned us, sorry!" Nobody is spending the money to deploy smartcards far and wide because nobody has any reason to. It is less expensive to pay the pittance required to clean up after a hack than to stop hacks in the first place. If banks had no legal recourse when some script kiddie hacked a customer account, they would be far more likely to give customers smartcards and use more secure authentication mechanisms.
To put it another way, making a brute-force attack a crime is placing responsibility for securing the system on the people who want to attack it. It should be obvious why that makes no sense.
Yes. You can't use force or coercion to rob a server of data, all you can do is ask nicely (or repeatedly).
In a just world, we would let full responsibility lie with those who deployed the machines without understanding the consequences of, e.g., no login failure rate limiting.
an exploit is asking nicely, all I did was GET /????\n\n\n\nfjasdfuisdjflkwenuadfnwerAAJLKJFIEFSEIFJSDLFKJERIWERRISLDKJLDKJF and then I connected to a shell on port 8118? I mean, it just answered the request ...
I wasn't saying passwords and websites are the same (I'm not even sure what that means) but was pointing out that saying it's fine to throw random stuff at a webserver would mean that it's fine to repeatedly throw user/pass combinations at a webserver.
He certainly didn't deserve the ridiculous amount of time that he got, but he's not an innocent in this example by any stretch of the imagination.