Hacker News new | past | comments | ask | show | jobs | submit login

"It should always be perfectly legal to access a remote computer system via a publicly accessible interface.", no it shouldn't, no more than it should be legal for me to walk into your house if you've not locked the door.

The system worked exactly as AT&T intended, in circumstances they'd clearly not planned for. If they'd bothered doing a risk assessment they'd have spotted it, they took the lazy option and it didn't work.




Please stop with the physical analogies. Locks and doors and physical space have well defined ways of indicating "authorized" and "unauthorized". We also have a social contract about entering spaces of others, even if there are no locks at all.

The social contract of the web is that "you can send a request to any webserver on the internet without permission". That's how the web _works_.

It's up to that server, and nothing else, to be the final arbiter of authorized/unauthorized. You don't get to move the goalposts after the fact, saying "oh, well we didn't INTEND for you to use it that way".

That's putting the burden to avoid jail on to the requester, who is now responsible for making assumptions and inferring the intent of programmers/admins they've never met or communicated with. It's lunacy.


Physical analogies are perfectly appropriate in this context. Just because someone accidentally exposes a function via their website that divulges information that isn't supposed to be viewable doesn't mean it is ok. If I've never met someone in real life who left their door unlocked nor communicated with them before I rob them, just like the web, both are still illegal.

>The social contract of the web is that "you can send a request to any webserver on the internet without permission". That's how the web _works_.

DDoS'ing a bank website is against the law, but you are just sending a request to a webserver right? The law will disagree...Again it is all about context. If weev made one request to the website, noticed he was looking at data that he knew shouldn't be available to him, then quit, I'm sure he would be just fine right now. But since he didn't this is why he is in trouble. Again the law isn't binary (to the major dismay and hang wringing it causes on this website), so it is up to the law to determine intent. Was he doing this by accident and should be slapped on the wrist? Or was he doing this maliciously?


> Or was he doing this maliciously?

He was _absolutely_ doing this maliciously. It STILL SHOULD NOT BE CRIMINAL.

This is a fundamental misattribution of responsibility.

His intent was to defame AT&T as much as possible, using only factual information about their own (negligent) business decisions. This, too, should be legal (and I believe it is).


Why does it have to be either/or? Why can't both people be responsible? Why can't AT&T be civilly liable for leaving a gaping hole on their application, and whoever abused that information be criminally liable?

Incidentally, every time you blame AT&T for what happened, you tacitly acknowledge that wrongdoing actually occurred, which harms your argument that the data was "published".

(In the interest of combating the fundamental attribution error: I'm not happy with Aurnheimer receiving a custodial sentence for what was pretty obviously just another dumb prank. We probably agree that the sentencing component of CFAA is absurdly constructed.)


"Information abuse" is some kind of cyber-PETA ethic and law I had not yet considered, and I'm not sure it's really a good road to start down.


If you think publishing people's credit card numbers implicates a PETA-like ethic.


There were neither "people's credit card numbers" nor "publishing" in this instance. It seems like you're being intentionally confusing.

We're talking about a list of email addresses (which I don't think should be protected data in any way, they're just email addresses) and a journalist running a blacked-out screenshot of a dozen of them.


I think you know I'm not being intentionally confusing; that's not who I am. I'm responding to part of your comment. I'm not writing a brief against Auernheimer. The way you know that is, my comments have repeatedly agreed with yours that his sentence is unjust.


You're changing the subject away from your own concept of "abuse of information."


> Why can't AT&T be civilly liable for leaving a gaping hole on their application, and whoever abused that information be criminally liable?

What abuse of information are you referring to? The part where they sent it to a journalist?

I blame AT&T for being shitty and reckless, not for being criminal.


I'm responding to the zero-sum nature of your comment above, about how the company harboring the vulnerability should be the one penalized for security incidents. And all I'm saying is, there's no reason why we can't penalize both: companies, when they're negligent, and people who exploit that negligence.

Also: we both know there's more to the story with Auernheimer than simply sending material to journalists.

Once again, we probably agree that Auernheumer doesn't belong in prison over this particular incident. He was overcharged and oversentenced. But I find the exact philosophy that drives you to that conclusion challenging, which is why I called it out.


> Also: we both know there's more to the story with Auernheimer than simply sending material to journalists.

Uhh, excuse me? They discussed what could have been done maliciously with the data, and then DIDN'T DO ANY OF THOSE THINGS. I honestly don't know what else you're alluding to.

To answer your main point:

I figured it out yesterday. I believe that sending packets over the internet, of any kind, with any content, is protected speech.

We're allowed to say what we want. It's the responsibility of a listener to determine how they respond.

This is how the world works, and it should be how the internet works, too.


That's not the way the world works. You have protected speech, but you can't rely on that protection when you use it to defraud someone.


>>He was _absolutely_ doing this maliciously. It STILL SHOULD NOT BE CRIMINAL.

What kind of reality do you live in where malicious intent to cause harm to someone or some group should not be a crime?


The kind where squabbles between two private parties are civil matters until and unless someone commits (or conspires to commit) an actual crime?

Particularly when the "harm" here is harm of reputation due the target's public actions? If I assemble a bunch of potentially-reputation-harming data on a public figure and post it on the internet with the clear intent of convincing people that public figure is incompetent, should that be an act that can get me landed in jail? Or is that speech?

Is the automated collection of that data really a thing that should be criminalized? Should it be criminal because or only when it includes identifying information of innocent bystanders?

This is publicly-available information.


Hypothetical scenario as an existence proof (not related to the situation currently at trial):

Suppose you're an investigative reporter. You regularly investigate a person or company that you feel gets away with too much, whose public actions always skate right on the line, and figure they must be doing something wrong. You feel vindictive about it because you haven't managed to find anything about them in the past. You fully intend to find something to report on that will cause their business harm; it's less about the story at this point, and more about you versus them. You find your story, you report on it (truthfully), and the result is serious enough that their business takes a major hit.

You had malicious intent to cause harm, and managed to cause the intended harm, and yet you've still done absolutely nothing wrong. (Remember that truth is an absolute defense against slander/libel accusations.)

Malicious intent to cause harm is frequently a necessary condition for a crime (leaving aside things like negligence), but never a sufficient one. You still have to do something inherently wrong.

In legal terms, see "mens rea" versus "actus reus".

Breaking into a computer system without permission by exploiting a security hole: generally a crime.

Accessing data made accessible to the general public: not wrong in the slightest, regardless of intent.

Changing your user-agent isn't exploiting a security hole (modulo changing it to ');drop table students;-- ), nor is automated access to a website (modulo DoSing). And embarrassing a company by showing that they made private user data publicly accessible definitely shouldn't be criminal.


>modulo changing it to ');drop table students;-- )

As an aside, about a year ago I made a simple web crawler that got (among other things) HTTP headers from all the servers it found. After an hour of crawling, I took the headers to start working on a parser for them, and found 7 attempts at an sql injection. Do I get to prosecute whoever set up those servers?


> What kind of reality do you live in where malicious intent to cause harm to someone or some group should not be a crime?

It depends somewhat on what you class as malice. Starting a business is usually a deliberate attempt to cause harm to competitors, and success at it may well cause thousands of people to lose their jobs, etc.


The world is simply becoming too complicated, all these "trajedy of the commons" type economics are blowing up in ways that are so harmful all over. I feel it is wrong for Weev to be in jail, the same way I feel it was wrong for max hardcore (paul little) to have went to jail, and so many others. I have been writing weev, he says he wishes more people will write him, it is very lonely in solitary confinement, in this complicated world, writing a letter to another human being seems the least I can do. I hope more people here do so too, even though I hated looking at all those goatse buttholes over the years and condemned the person who was doing that to me - LOL! I don't wish a human being to be locked up for years for what Weev has done.


Similarly, should the programmer(s) who implemented the feature (plus the staff who devised and approved it) be accused of reckless endangerment of the data?


Consider the 50+ doors the FBI broke down in response to operation payback, yet 0 prosecutions have occurred in the US. Before that happened it was widely speculated that ddos was not a crime in the united states, and that appears to have been defacto agreed to by the US Attorney in this case.


Unless someone actually profits or acts illegally with the data obtained from their unintended access I think you should essentially be given a pass - to the extent that I'd want such cases ruled invalid.

Otherwise we end up in the bad situation of having a law which is going to be applied very unevenly, which opens it wide up to corruption.


>>Please stop with the physical analogies. Locks and doors and physical space have well defined ways of indicating "authorized" and "unauthorized". We also have a social contract about entering spaces of others, even if there are no locks at all.

The social contract of the web is that "you can send a request to any webserver on the internet without permission". That's how the web _works_.

--

Physical analogies may have their limitations when describing the web.

That said, weev KNEW for a fact that he was accessing information that should not have been public.

In other words, he KNEW that he was walking into someone's unlocked house.

Furthermore, he BRAGGED about rubbing it in AT&T's face, and wanting to cause as much damage as possible. He had malicious intent.

So no, his trespassing was not unintended. He didn't happen to just accidentally grab a bunch of email addresses from some web server he sent requests to randomly.


Why must ATT's situation be compared to an unlocked house rather than a pile of papers lying on a street corner?


True, even Wozniak has recently said he doesn't like what the USA has become, that it is like former communist russia or stassi germany, and ever since the patriot act we have really been hosed, I wonder if the Woz can help do anything for WEEV personally if he really feels this way (it was apple ipad devices involved with this right?)


> Furthermore, he BRAGGED about rubbing it in AT&T's face, and wanting to cause as much damage as possible. He had malicious intent.

Malicious intent is not criminal.

> That said, weev KNEW for a fact that he was accessing information that should not have been public.

It is massively unfair to put the burden of inferring the intention of a remote system onto the requester.

In fact, he could not have known that he was accessing information that should not have been public (as you claim), because ATT expressly configured their systems to MAKE IT PUBLIC. It wasn't an accident or misconfiguration. Your basic premise doesn't hold up, and neither does the silly physical "unlocked house" analogy.

An unlocked house implies there are locks and doors present, neither of which were in this case.

It's not trespassing, and just because it's non-random doesn't make it criminal.


"Please stop with the physical analogies.", weev relied on one during his defence, so they're fair game.

The social contract of the web is usurped by the legal contract of society, whether or not the way the legal framework is being applied in a just and fair manner is certainly up for debate.

And honestly can you say, hand on heart, that the intention of the AT&T developers was to purposefully leave that hole there? That'd be lunacy. Clearly it's a mistake, an 'oh crap, we didn't think of that'.


It was expressly to support autocomplete.

Upon going to the wireless account management webpage on the iPad, it would already have the email address last associated with that ICCID (sim card) filled in in the form input element, so that the user would only have to type in their password, and not the email address as well.

It was an express design decision to reduce the number of steps taken by a user to reactivate service. They explicitly chose to weaken the authentication system to increase convenience, and didn't want to do credential management, so they just used the sequential integer ICCID to fetch the email address last associated with that SIM.

Afterward, they said "oh, well, we didn't INTEND for you to use it that way", despite the fact that this is very obviously gross negligence.

It's not a hole - it's a feature they chose to implement.

The bad law that lets anyone, retroactively, define "unauthorized access" by their own attitudes and whims, is the problem here.


But by that logic, any kind of malicious web activity should be allowed. Once you remove all the abstractions, any kind of attack is just computers behaving how they've been instructed to. An injection attack is only a server processing a particularly strange request.


Yeah, that's basically my argument.

Don't plug shit into the internet you don't understand.

If that's a problem for you, hire someone who does understand it before you do.

I have no problem with complete deregulation of the exchange of information over the internet, as it's impossible to use violence to force anyone to do anything via an ethernet cable.

It's impossible for a packet to be the root cause of harm coming to another.

Negligence or recklessness when attaching not-fully-understood systems to the Internet, on the other hand, should expose people to liability when the personal information stored in those systems is publicized. The fundamental cause is "idiots plugged in a server without suitable authentication", not "somebody across the world sent it some electrons".

It is crystal-clear to me that all packet transmission should be protected speech, including buffer overflows and other so-called "malicious" traffic.

Just because it's obvious to you (because you are willing to make an assumption) what is malicious and what is not, that doesn't mean that it's anything resembling fair to force others to make those assumptions to avoid criminal liability.

The full text of War and Peace could be "malicious" traffic when sent to a machine that stupidly copies it into a fixed-size buffer. This is not a job for the law to decide. It's a blunt instrument.

(There's also the issue of the stupidity of allowing the receiver to retroactively declare "oh, that was not intended, and thus unauthorized".)

The responsibility must always lie with those who interpret the traffic, not those who send it.


If you want to use a physical analogy, it would be more like I invite you into my home, then shoot you because you stepped in a spot that I didn't like.


AT&T invited weev to check their interfaces? Could I see a link with the text of that invitation?


Weev owned an iPad. His iPad checked a url on ATT without him doing anything. That's really more than an invitation.


Really? So if you have a device that checks your email on gmail this is an invitation to browse any mailboxes stored on gmail? I have such device, you wouldn't mind me reading your gmail mailbox, right? Or would you?


Straw man: Gmail has authentication, this web service did not.


It did, it was just easy to guess. So are about 3/4 of passwords. Gmail account with weak password means no problem going through your emails, right?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: