Hacker News new | past | comments | ask | show | jobs | submit login

A perfect implementation of what AT&T did is this service: http://www.mailinator.com/

As you can see all emails are accessible without a password, just a username. This is what was required to get the customers' data from AT&T, serial numbers which are by definition serial and obvious to predict, just like anyone visiting http://www.mailinator.com/ would punch in their own name to see what was there and then try some other people's names.

To make Weev's access illegal there must be at least some form of security like a password that he should circumvent. That would be illegal. Placing data accessible through usernames without passwords is not an obstacle or security measure and should NOT be criminalized because it weakens the law and makes anyone a criminal.




Ah, but AT&T did not publicise the endpoint in any way either, unlike Mailinator.

More to the point, users using Mailinator do not have an expectation of privacy regarding the data they gave Mailinator (or that they told other services to give Mailinator). This is, therefore, a different situation.

If I find someone's personal information in Mailinator, that is most likely because a user agreed to allow a service to send their personal information there. In most cases, I wouldn't have any reason to believe any of this data was not intended to be there, unless there were other clues.

In the case of the AT&T breach, two things lead me to believe that Weev violated the privacy of the users:

* It is quite unlikely that users intended to have their email addresses published to the public through this endpoint, and it can easily be shown that Weev understood that - he would not otherwise have chosen the course of action he took.

* AT&T have never publicised this endpoint.

I am not holding AT&T as the victim here, but rather the customers of AT&T whose data was breached. AT&T and Weev were equally complicit in the breach, and AT&T should be held separately responsible.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: