Forgot your password?
typodupeerror
Security The Courts

Security Researchers Submit Brief For Andrew "Weev" Auernheimer 161

Posted by samzenpus
from the helping-a-hacker-out dept.
USSJoin writes "Andrew Auernheimer (or Weev, as he's often better known) is serving a 41-month sentence under the Computer Fraud and Abuse Act. The case is currently on appeal to the Third Circuit Court of Appeals; his lawyer filed the appellate brief last week. Now, a group of 13 security researchers, led by Meredith Patterson, and including include Peiter "Mudge" Zatko, Space Rogue, Jericho, Shane MacDougall, and Dan Kaminsky, are making their own thoughts heard by the court. They are submitting a brief to the Third Circuit Court of Appeals that argues that not only is Weev's conviction bad law, but if upheld, it will destroy independent security research, and perhaps the rest of consumer safety research as well."
This discussion has been archived. No new comments can be posted.

Security Researchers Submit Brief For Andrew "Weev" Auernheimer

Comments Filter:
  • What Weev did (Score:5, Informative)

    by wonkey_monkey (2592601) on Monday July 08, 2013 @09:49AM (#44215293) Homepage
    It may have been pertinent to briefly explain what he actually did in the summary - he was the guy who got hold of 114,000 AT&T customer email addresses. Beyond that I don't know much, except that there is some argument over whether what he did was any kind of "hack" - he may have just navigated some exposed folders. Either way, you still probably get less than 41 months for kicking a puppy to death.
    • Re:What Weev did (Score:5, Informative)

      by Trepidity (597) <delirium-slashdot@@@hackish...org> on Monday July 08, 2013 @10:26AM (#44215627)

      He was also convicted of conspiracy to distribute those addresses for criminal purposes based on the fact that he... sold them to Russian fraudsters? No: disclosed them to a journalist. I guess the criminal purpose was embarrassing AT&T?

      • Look at this very thread.

        It's fairly obvious where our values are placed in this country.

      • He also broke a gag order. A gag order which sounds like it was intended to bully and bankrupt him into submission.

        Just throwing this out there for someone with more legal insight than me: how is it that gag orders are justified when there's not a fear that one of the witnesses is going to get shot by the mob?
      • by steelfood (895457)

        Which shouldn't be embarassed or threatened because they're extremely helpful to the NSA and FBI in their endeavours.

        That's the problem with allowing corporations to cooperate with the government. It ultimately descends into corporatist facism where one is helping to cover the other's ass and vice versa. In the end, it's the people who lose.

    • by reimero (194707)

      The appeal brief (linked above) is worth a read. There's a lot of legal-ese in there (obviously), but it raises some very serious questions (not the least of which is double jeopardy.) There's also the legitimate question of what constitutes "unauthorized" access. From what I can tell, AT&T used those individualized headers as an authentication/authorization scheme, and relied on security through obscurity. Auernheimer changed the headers and gained access to accounts that were not his. There was n

      • "There's also the legitimate question of what constitutes "unauthorized" access."

        Their first point is the one I feel is most pertinent and carries the most weight: the fact that calling a breach of Terms of Service a "crime" would effectively allow private corporations to write their own laws... something that is very clearly outside not just our Constitution, but our entire historic system of justice, from long before the Constitution was even conceived .

      • by Darinbob (1142669)

        Just because you can get to something without hacking or lockpicking or decryption does not mean it was legal. If I leave my front door unlocked by mistake then it does not mean that anyone can legally come inside and look around. So that part of unauthorized access was illegal, although minor. It's the other stuff he's being charged with that is more pertinent.

        Prosecutors love to pile on stuff to earn more points, and that's what seems to be going on here.

        • by Xtifr (1323)

          Posting something on the public internet, as AT&T did, is not equivalent to keeping it in your living room, so your analogy fails. Badly. It's more like putting things out on the sidewalk in front of your house, and then getting upset because someone came along and looked at the sidewalk, instead of following your instructions to keep their eyes closed until they reached the exact GPS coordinates you sent them.

      • The penalty in this case was too high, even for a repeat offender.

        I read the amicus brief with interest and it first it seemed like they had some good points. After thinking about it, I realized their arguments are kind of silly.

        Their argument hinges on the idea that Weev couldn't have known that downloading the personal of hundreds of thousands of people was unauthorized. Seriously? They imply that because Weev COULD access it over the web, he thought he was supposed to. His statements afterwards make it
    • in other news, a bunch of teenagers who raped another teenager, bragged about it in a video, and put it on the internet get two years(24 months) in juevinile hall)

      http://abcnews.go.com/US/steubenville-football-players-guilty-ohio-rape-trial/story?id=18748493

      good job America, way to let the world know you have your priorities right.
    • Either way, you still probably get less than 41 months for kicking a puppy to death.

      FWIW in California you can get 36 months for kicking a puppy to death, unless it's your third strike, then you can get 25 years.

  • by sl4shd0rk (755837) on Monday July 08, 2013 @09:55AM (#44215329)

    What Weev did was spoof his Browser headers and then send a bogus ID to AT&T's webserver. The dumbasses who wrote and reviewed the code on AT&T's backend were negligent in that they blindly trusted the user input and spit out private information as a result. If that's what the Spec said was supposed to happen, then start climbing the ladder and find out who authorized customer info to be so accessible.

    In my mind, the people in charge of code review at AT&T need to be in court answering questions as to what other code they have facing the internet which could be circumvented in a similar way giving away customer info to anyone who can use a common browser plugin and simply change a form variable. This is a clear case of glaring corporate negligence being covered with the Computer Fraud and Abuse Act.

    I'm not even sure what the CFAA is supposed to protect, but if it's primary use is to keep people from asking questions about how their private info is stored, and who has access to it, then get rid of it. The only people winning from legislation like that are the ones who would otherwise be sued for negligence.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      The only people winning from legislation like that are the ones who would otherwise be sued for negligence.

      And who do you think wrote the legislation?

      Whenever laws like this are written, it's the corporate interests via their lobbyists who write the laws.

      Then said Congressman on that particular corporation's buddy list, then submits the law as his own work.

      Being a Congressman is a pretty cushy deal - 6 figure income, other people do your work, you get your ass kissed, travel around for free and get entertained, no worries about what the little people go through and it just goes on ....

      If it weren't for the fa

    • Re: (Score:3, Insightful)

      by Infiniti2000 (1720222)

      Whoa, easy on the vitriol there, bub. Don't let bad design cloud your judgment of the actual case. It matters not how badly the AT&T folks implemented security (or not) on their system. The fact is Weev "stole" it (copied without permission) and then stupidly publicized it. What's more, he "shared it with various interested parties [dailytech.com]."

      As far as I'm concerned, anyone calling their group Goatse Security needs to be punished anyway. I'm not interested in trying to explain to my 6yo what the fuck that me

      • by hublan (197388)

        Whoa, easy on the vitriol there, bub. Don't let bad design cloud your judgment of the actual case. It matters not how badly the AT&T folks implemented security (or not) on their system. The fact is Weev "stole" it (copied without permission) and then stupidly publicized it. What's more, he " shared it with various interested parties [dailytech.com]."

        If AT&T had left printouts of highly personal data in a dumpster and someone had found it right there, then I don't think you would've had a problem fingering the culprit. AT&T, right? Dumpster diving would certainly not get someone 41 months in the slammer (e.g California v Greenwood).

        In other words, it was right there in the open. Hence, the blame lies squarely with AT&T for not properly securing their customers' private information.

        As far as I'm concerned, anyone calling their group Goatse Security needs to be punished anyway. I'm not interested in trying to explain to my 6yo what the fuck that means.

        Your obvious lack of parenting skills is not his responsibili

        • by tnk1 (899206)

          Spoofing browser headers to overcome security restrictions, even laughably bad security restrictions, is not the same as dumpster diving. For one thing, it's already been ruled that having stuff in the trash indicates the intent to make that trash freely available to be removed, and as such, anyone can remove all or any part of such and even have it used as evidence against the original owner.

          So, the comparison is not appropriate because the intent and the law are strikingly different, even if company's in

        • If AT&T had left printouts of highly personal data in a dumpster and someone had found it right there, then I don't think you would've had a problem fingering the culprit. AT&T, right? Dumpster diving would certainly not get someone 41 months in the slammer (e.g California v Greenwood).

          In other words, it was right there in the open. Hence, the blame lies squarely with AT&T for not properly securing their customers' private information.

          This is a terrible analogy, and tnk1 has covered most of it. Let me further clarify that most locations for AT&T that I've been to do not maintain their dumpsters outside their curtilage. This would negate the reference to Greenwood v CA. Additionally, I know AT&T regularly uses a shredding company, so any really important stuff (especially for government contracts) goes through that. In any case, I think the better analogy is if I place my wallet on a counter and walk away from it. I say that

      • by DarkOx (621550) on Monday July 08, 2013 @10:26AM (#44215623) Journal

        I'd say ATT published it when they made it available online via webserver with no effective authentication around it.

      • by omnichad (1198475)

        Exactly. He could have used first initials and last names and scrubbed the email address into an SHA-1 hash - enough to prove that he retrieved the list, but not enough to actually stupidly share around customer details.

      • As far as I'm concerned, anyone calling their group Goatse Security needs to be punished anyway. I'm not interested in trying to explain to my 6yo what the fuck that means.

        Disgusting. And you have no fucking problem with explaining why the &T in AT&T exists?

        Fascist scum such as you are the ones who should be punished. Give your kid up for adoption before you destroy them with retarding ideas such as "censorship of nature isn't evil."
        The children of the average uneducated natives world wide stand more of a chance at surviving to adulthood with their brains in tact, and they see "violence", "nudity" and even "intestines" just from living day to day and cooking food --

      • by Hatta (162192)

        The fact is Weev "stole" it (copied without permission) and then stupidly publicized it.

        The fact is Weev submitted an HTTP request and got data back. Just like every other HTTP request ever.

        As far as I'm concerned, anyone calling their group Goatse Security needs to be punished anyway. I'm not interested in trying to explain to my 6yo what the fuck that means.

        Apparently you're not interested in trying to explain to your 6yo what freedom of speech or proportional justice means either.

        • Apparently you're not interested in trying to explain to your 6yo what freedom of speech or proportional justice means either.

          That's a stupid response. Do you honestly think the origin of the goatse name is appropriate for 6 year olds? What the fuck does freedom of speech have to do with this? Or, did you seriously fucking think I really mean for him (Weev) to be punished solely on the name of the company? Can't you understand sarcasm? The fact is that Goatse Security is a really stupid name and I hope the company never gets any customers. But, no, he shouldn't do jail time for it.

          • by Hatta (162192)

            Or, did you seriously fucking think I really mean for him (Weev) to be punished solely on the name of the company?

            Why would I not believe that, based on what you said? People believe far stupider things. Many of them are even federal prosecutors.

  • by SomePoorSchmuck (183775) on Monday July 08, 2013 @09:57AM (#44215353) Homepage

    "...not only is Weev's conviction bad law, if upheld, it will destroy independent security research, and perhaps the rest of consumer safety research as well."

    Yeah, I'm pretty sure that's the point. What in the world makes them think the government and the mega corps that they've merged with wouldn't want to "destroy independent security research" and "consumer safety research"? You think those federal-corporate cockroaches want you shining a light on their clandestine behind-the-fridge data gorging?

  • by Zontar_Thing_From_Ve (949321) on Monday July 08, 2013 @10:06AM (#44215425)
    In reality this is a just a case of the following:
    Researcher finds that Joe Blow has gone out of town and left the door to his house unlocked and open. Researcher publishes this information in a blog along with the address to the house. House gets robbed. Police hold Researcher responsible. Researcher insists it's not his fault that the house got robbed.

    Yes it really is that simple.
    • By this logic, the developers of pleaserobme.com, which (before they decided they'd made their point and went to an informational site) mashed up Foursquare and Twitter data to determine when people had themselves voluntarily disclosed that they were out of their homes, should also be in prison. In other words, your analogy, along with AC's in reply to you, commit the logical fallacy of proving too much [wikipedia.org].
    • "Stealing" is a poor choice of words to refer to copying information. When you steal from a house, then the owners of the house don't have those possessions anymore. So no, it really is not as simple as your analogy.
      • by mi (197448)
        Well, if NSA going through your electronic mails — without even touching anything tangible in your house — is a violation of the 4th Amendment, then the distinction you are trying to make regarding copying electronic data is without (much) difference...
    • by Trepidity (597)

      No, it isn't really related to that at all. Public-facing web servers, unlike houses, are not by default considered private. The public is expected to and routinely does enter. They are private property, but private property regularly offered to public use. If you require a physical space analogy, sort of like a plaza owned by a corporation, in front of its HQ, which has no fences around it and is regularly accessed by the public.

    • I don't think in your example that the researcher should be sent to jail. Maybe the homeowners could sue him in a civil suit, but the federal government shouldn't be sending him away for noting that someone left the door unlocked and open.
    • by jkflying (2190798)

      I think a good analogy would be a post office making all its PO boxes open when you knock on them. He opened his box and noticed that they were horribly designed, so then he knocked on all of them and took picture of the contents, which he sent to a local journalist as proof of the poor design that he had discovered.

      Sure, what he did was overboard. But having such a poor security mechanism on their mail boxes is most certainly the fault of the post office. He should be blamed for the publicising (unless it

    • by b4upoo (166390)

      All of the weight of guilt falls upon the criminal. For example if you fail to lock up your bicycle and it is stolen the thief is not less guilty. And if i put it all over youtube that you never lock up your bicycle the thief still bears all of the guilt.

  • by Anonymous Coward

    ...will be the first pwned in a cyberwar because fear will have kept their system from ever being tested.

    • by jklovanc (1603149)

      Testing would be getting a few hundred addresses and informing the company of the issue. Weev did much more than that. He got over 114,000 email address over a number of days and sent copies to people he knew were not authorized to have that data. He crossed the line between white hat and black hat. Even the judge stated that had he stopped at a few hundred he would not have been convicted.

  • Sorry (Score:5, Insightful)

    by damicatz (711271) on Monday July 08, 2013 @10:12AM (#44215467)

    I'm finding trouble having sympathy for this guy.

    He manipulated URLs to access areas that were not publicly visible. The information that he gleaned by manipulating these URLs was information that any reasonable person would deduce as information AT&T did not intent to make public. Rather than informing AT&T about the vulnerability, he went to Gawker and leaked the information that he gained, victimizing all of those people in the process. Just because someone leaves a door unlocked or open does not give you the right to go in and steal stuff and this is no different. Mens rea is *everything* here; if he had just gone to AT&T or acted responsibly in the disclosure, rather than trolling, he would most likely have never been charged.

    As far as the prison sentence goes, he brought that on himself as well. It is *beyond* stupid to swear at a federal judge and call her a "mean bitch" when she is the one that is sentencing you. It is *beyond* stupid to go on a public forum and post that you intent to commit the same crimes again once you get out of prison. Do not complain when you get the book thrown at you after you try to turn the courtroom and the trial into a three-ring circus. Trolling a federal judge is never a good idea.

    There is also the matter of his past history. I have not forgotten about what he did to Kathy Sierra or the other women that he made rape threats against. Or the "GNAA". His entire life has been dedicated to griefing people and generally being an asshole and yeah, the judge is going to look at that.

    • Re:Sorry (Score:4, Insightful)

      by CanHasDIY (1672858) on Monday July 08, 2013 @10:23AM (#44215589) Homepage Journal

      As far as the prison sentence goes, he brought that on himself as well. It is *beyond* stupid to swear at a federal judge and call her a "mean bitch" when she is the one that is sentencing you. It is *beyond* stupid to go on a public forum and post that you intent to commit the same crimes again once you get out of prison. Do not complain when you get the book thrown at you after you try to turn the courtroom and the trial into a three-ring circus. Trolling a federal judge is never a good idea.

      Yea, it's not like the people who came up with the idea for this country made it the law that every citizen has a right to bitch to and about government agents, right?

      Oh, wait... [wikipedia.org]

      You know, it's a sad day in America when the exercise of our civil liberties is colloquially considered to be a "stupid" action...

      • by damicatz (711271)

        You have the right to free speech. That doesn't mean you have immunity from the consequences of your speech. If you go around telling everyone, during sentencing, that you are going to go and commit the same crime again (regardless of whether you agree it should be a crime or not), the judge is absolutely going to take that into account during sentencing because it indicates a high probability that the person will do the same thing again.

        • You have the right to free speech. That doesn't mean you have immunity from the consequences of your speech.

          When it comes to speech about the government, you're supposed to have immunity.

          That's kinda the whole fucking point; they aren't really civil liberties if you can be punished by the government by exercising them.

          • by damicatz (711271)

            The problem is, that simply isn't how it works and it has never worked that way.

            For example, there is something called the reasonable time and place restriction. If you try to hold a protest in front of the White House at 2am in the morning, you absolutely will be forced away by the police and them doing such is perfectly constitutional. The same goes for a courtroom; you cannot act out in court. If you disagree with a judge, the appropriate process is to appeal that decision. And, furthermore, things yo

            • For example, there is something called the reasonable time and place restriction.

              [citation needed], as from what I see:

              Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

              No such distinction is made; or perhaps 'shall make no law' and 'abridging' has a different meaning in the parallel universe you inhabit?

              Don't even bother with any of that 'legal precedent' nonsense, e

                • While technically correct (in the bureaucratic-red-tape-nightmare sense), nothing in the link you posted indicates that is is legal or right to give a citizen a harsher sentence for expressing their right to free speech, TPM restrictions notwithstanding. Any judge giving the defendant a longer sentence solely because said defendent pissed her off (with harmless words, mind you) is an affront to the idea of justice, no matter how you try to spin it.

                  Also, I noticed you've decided to not respond to the rest of

                  • by damicatz (711271)

                    Amongst other things, judges base sentences on the defendants remorse, or lack thereof, as well as their prior criminal history, motivations, and how likely they are to re-offend. This is not an anti-liberty position for his speech was never restricted; no one stopped him from being an idiot on Reddit and he is not being charged with a crime or harassed for what he said. But the judge absolutely has every right to use that when determining whether he is likely to offend (I needn't remind you about the bit

      • by Nemyst (1383049)
        Wait, you do realize your free speech right only means you have the right to say it, right? It doesn't shield you from the consequences of saying it. The guy was indeed allowed to say it, and wasn't necessarily punished for it, but in any normal society being an asshole isn't going to positively influence the people around you. You can still do it, but don't whine about the consequences.
        • by adri (173121)

          Actually, re-read what the right of free speech in the united states means. Then please re-evaluate your statement.

          • Actually, re-read what the right of free speech in the united states means. Then please re-evaluate your statement.

            Yea, this.

            Contrary to modern ideology, freedom of speech has absolutely nothing to do with the right to blast everyone around you with ads and crappy music, but rather references our natural right to bitch about the government without having to fear repercussions.... like, say, being given an extended prison sentence because you mouthed off to a government agent.

            Weev should sue that mean bitch for civil rights violations, maybe even get her Constitutionally-ignorant ass barred from the bench.

        • You do realize that the whole point of "Free Speech" is that is DOES shield you from consequences of your speech that would come from the GOVERNMENT. You know, like extra jail time?!
    • by Trepidity (597)

      I agree trolling a federal judge is not a good idea, but that doesn't really excuse the judge inventing a sentence outside the federal sentencing guidelines based on a flimsy justification. Damages still have to be computed in a legitimate manner, and the judge is still restricted by the sentencing guidelines, even if they hate the defendant.

    • Re:Sorry (Score:4, Interesting)

      by thoriumbr (1152281) on Monday July 08, 2013 @10:30AM (#44215681) Homepage
      Let's pretend you have a million bucks on some bank (do you have, don't you?). The bank says it will protect your money with their lives, and everything is secure. Someday you hear that one researcher (or troll, or terrorist) went to the parking next to the bank, started a sniffer, and discovered that your bank uses unencrypted WIFI networks, so he added a private IP address to its network card and could access all bank servers and read data from any account.
      Who would you blame? The bank or the guy?

      I still think that Weev is not a saint, but AT&T is to be blamed here. AT&T had to get a hefty fine for gross negligence, putting hundreds of thousands of customers in danger. Weev must be fined too, but serving 41 months of jail time is too much, IMHO.
      • by damicatz (711271)

        Both. What AT&T did was stupid and inexcusable from a security standpoint but that doesn't make exploiting it right. As I said, I would have more sympathy if he were a legitimate security researcher who tried to go through the proper channels. As it stands, he is nothing but a troll that has devoted his entire life to making other people miserable and he finally trolled one person too many.

      • ...
        Who would you blame? The bank or the guy?

        Both of them. It needn't be an either-or. The guy shouldn't be messing around with the bank's systems, and the bank shouldn't make it so easy for him to do so.

      • by jklovanc (1603149)

        Why do people stop at the initial act when describing what Weev did. Yes, he found a security hole. That is a laudable thing. He then repeated the attempt several hundred thousand time; succeeding over 114,000 times. He then sent the list to several insecure people and organizations. As the judge stated, had he stopped at a few hundred he would never have been convicted. He started out white hat but went far over the line into black hat when he attempted so many times and published the results.

    • Re:Sorry (Score:4, Insightful)

      by interkin3tic (1469267) on Monday July 08, 2013 @11:01AM (#44215919)
      Unfortunately, now there's a precedent for sending the next whistleblower to prison, even if said next whistleblower was a saint.

      I suppose that probably would have happened anyway, since somehow companies think that a scapegoat will distract from their security lapses.
      • by jklovanc (1603149)

        Actually the precedent is unclear as the judge stated that had Weev stopped at a few hundred email address he would not have been convicted. In fact it may be a precedent in the other direction as the data breach was very large in this case and, with the judge's comment, small data breaches may be protected as testing.

    • by c (8461)

      if he had just gone to AT&T or acted responsibly in the disclosure, rather than trolling, he would most likely have never been charged.

      I tend to agree with most of what you wrote, except that.

      It's been shown time and time again that when it comes to reporting security issues, large corporations like AT&T have a very strong "shoot the messenger" tendency. Unless you can do it anonymously, reporting a disclosure to them is almost certain to get you charged.

      • by jklovanc (1603149)

        Even if he was charged the judge said he would have benn found not guilty if he had stopped at a few hundred successes instead of 114,000 and publishing the results.

    • He went to Gawker and leaked the information that he gained, victimizing all of those people in the process. Just because someone leaves a door unlocked or open does not give you the right to go in and steal stuff and this is no different.

      A door being unlocked doesn't obligate you to inform the owner of the door, nor does is there any reason you can't tell someone else about it.

      It is *beyond* stupid to swear at a federal judge and call her a "mean bitch" when she is the one that is sentencing you.

      I think that, like with police officers, it is up to a judge to be the "bigger man" and realize that although it is rude, being a dick isn't something someone should get jail time for.

      It is *beyond* stupid to go on a public forum and post that you intent to commit the same crimes again once you get out of prison.

      It is stupid, but if the "crimes" that landed him in jail should not have lead him to be serving jail time to begin with, I think he has reason to make a big, public hub bub about it. Th

    • by jedidiah (1196)

      > I'm finding trouble having sympathy for this guy.
      >
      > He manipulated URLs to access areas that were not publicly visible.

      Which really only puts him at the "not suffering from downs syndrome" level of intelligence.

      It's a public server. Permission is implicit in the fact that something is world readable. That is what those permissions are for.

      Abusing trespass laws to prosecute people that enter public places is just Fascist nonsense.

    • I'm finding trouble having sympathy for this guy.

      He manipulated URLs to access areas that were not publicly visible. The information that he gleaned by manipulating these URLs was information that any reasonable person would deduce as information AT&T did not intent to make public.

      So, you would rather live in a world where if you see a huge hole in the side of your bank's vault, leading out into an alley, you'll be thrown in jail if you tell a sole about it? Tell me, did your education include children's books such as The Emperor's New Clothes, or are you a complete fucking moron? I'd much rather be told I'm naked and have no security, and force the fuckers to fix the issue, than to wait till I'm actually exploited to find out.

      Were I him, I wouldn't want sympathy from fools li

    • by oxdas (2447598)

      He manipulated URLs to access areas that were not publicly visible

      They were on public facing servers without any authentication. That is about as "publicly visible" as it gets. He is a stupid, unsympathetic man, but that doesn't change the facts of the case. AT&T left this information on a public server. A home is terrible analogy for a public server. It is more like AT&T left the paper copies of their customer data in a corner the public lobby of their building (that they intended to be private but had not put up any signs or walls, etc) and he saw them and

    • by Xtifr (1323)

      I'm finding trouble having sympathy for this guy.

      I have absolutely no sympathy for the guy, yet I still think that accessing a public website should not be illegal. Which, unfortunately, is what they're trying to convict the asshole for. If being a jerkwad were a crime, there would be a whole lot more people in prison. But it is not, at least yet, actually a crime.

      The question here is not, is this jerk sympathetic (he's not). The question is, should accessing a public website be considered a crime simply because the owner neglected to publicize the addres

  • by MobyDisk (75490) on Monday July 08, 2013 @10:46AM (#44215799) Homepage

    RESPONSIBLE DISCLOSURE! RESPONSIBLE DISCLOSURE! RESPONSIBLE DISCLOSURE!

    We need a law that states what is legally protected responsible vulnerability disclosure. Something that says "If you do it this way you are not a criminal." Something like:

    1) Notify the responsible organization.
    2) Give them X days.
    3) After that, you may optionally notify a responsible government agency or industry organization like CERT.
    4) Give them X days.
    5) After that, you may go public with the information.
    etc.

    Anyone in the security industry should already know to do this, but a law would make it clear.

    • by idontgno (624372)

      But we already have a law [wikipedia.org] that accomplishes the intents and purposes of the only ones who matter: corporations.

      In their mindset, there's no such thing as responsible disclosure. Any disclosure damages them and must be prevented and, if necessary, strongly punished. That way they can continue being incompetent and insecure (and save lots of money, so more profits for everyone who matters), and anyone who tries to uncover vulnerabilities will be treated as the anti-profit criminal worm they obviously are.

      The

    • It would be good for everyone to have it very clear where the line is. I have my name on some CVEs, so I qualify as a "security researcher", I suppose. Also, I'm paid to protect my client's systems, so I understand the costs of criminal hacking. I see both sides and from my perspective it would be good to know that I'm protected from frivolous prosecution if I follow responsible disclosure practices, while not giving a free pass to the criminals attacking us.

      We have to be careful though - DMCA was designe
  • by Anonymous Coward on Monday July 08, 2013 @11:11AM (#44216011)

    The brief describes how a web request is like asking a librarian for a book.
        If the book is non-public she then asks for credentials and if they are ok gives you the book.
            Since the ATT's web server didn't ask for credentials, the web pages were fair game.

    This misses another use case.
        It is also possible to include your credentials with the request for the book.
            A librarian would respond to this request for private data just like a request for public data.
              The included credentials could be a big, secure random number, or an obvious small number like the record number.

    In some cases a web site uses a simple record number for public data so that a user can access it by providing the record number.
        In this case AT&T used a simple record number for private data which they did not want accessed.

    One could argue that they 'locked' the data, but with a cheap lock.
        The thing is, one can recognize a physical lock and know to respect it.
              In this case the web server provided no indication that the data was private.
                    In fact, as the brief outlines, it indicated the reverse.

    From their reactions, both AT&T and the security guy knew the information contained in the data should not have been public
          The security guy did not benefit for the data, but rather published the problem so it would get fixed
                (Without this, good guys might have walked by this 'lock' but how many bad guys quietly didn't?)
          AT&T reacted to 'kill the messenger' by declaring after the fact that the data was private.

    It doesn't seem good law to allow this to stand.
            1) It removes the feedback which closed the security hole.
            2) It allows the server owner to escape responsibility for a poor (perhaps dangerous) design.
            3) It makes it impossible to draw the line for 'normal' versus 'criminal' web browsing for us all.
            4) It leaves a generally harmless guy in jail for violating an after the fact business rule.

    • How is the record number a credential? The record number refers to the item to be retrieved. Using the record number as a credential (sent with the request or not) is terrible design -- you're literally saying that the credential to retrieve the record is the same as the identifier of the record, which reduces to an unauthenticated GET request. This isn't even one-factor authentication, it's no-factor authentication.
    • That is some of the worst poetry I have ever read.
      • The brief describes how a web request is like asking a librarian for a book.

        That doesn't hold a candle to truly bad poetry. Allow me to remind you:

        Oh freddled gruntbuggly,
        thy micturations are to me
        as plurdled gabbleblotchits on a lurgid bee.

        Groop I implore thee, my foonting turlingdromes. And hooptiously drangle me with crinkly bindlewurdles,
        Or I will rend thee in the gobberwarts with my blurglecruncheon, see if I don't!

        And hey, let's not forget that Terran master's work:

        The dead swans lay in the stagn

  • AT&T wants us to believe that because their website was so insecure that feeding it sequential data would reveal private customer information, the problem can be solved by throwing the "hacker" -- who notified them immediately and did not leak the customer information -- into jail.

    Yeah, right. The overseas hackers aren't going to even care that much. They'll take your information, use it to rob you blind, and presumably AT&T will cover it up, since their response has not been to address the actual p

    • So by your thinking, if you leave your car unlocked, which is a dumb thing to do security-wise, it's okay for someone to steal your stereo?

      Sure, a programmer or two at AT&T did something dumb.
      That's orthogonal to what Weev did.

      In fact, by your logic, if a 16 year old girl walks down a dark street at night (failing to have proper security), the rapist has done nothing wrong. After all, she should have had better security . Perhaps she should have, but that doesn't make it okay to victimize someone

This is a good time to punt work.

Working...