Security Researchers Submit Brief For Andrew "Weev" Auernheimer

USSJoin writes "Andrew Auernheimer (or Weev, as he's often better known) is serving a 41-month sentence under the Computer Fraud and Abuse Act. The case is currently on appeal to the Third Circuit Court of Appeals; his lawyer filed the appellate brief last week. Now, a group of 13 security researchers, led by Meredith Patterson, and including include Peiter "Mudge" Zatko, Space Rogue, Jericho, Shane MacDougall, and Dan Kaminsky, are making their own thoughts heard by the court. They are submitting a brief to the Third Circuit Court of Appeals that argues that not only is Weev's conviction bad law, but if upheld, it will destroy independent security research, and perhaps the rest of consumer safety research as well."

What Weev did

[wonkey_monkey]

It may have been pertinent to briefly explain what he actually did in the summary - he was the guy who got hold of 114,000 AT&T customer email addresses. Beyond that I don't know much, except that there is some argument over whether what he did was any kind of "hack" - he may have just navigated some exposed folders. Either way, you still probably get less than 41 months for kicking a puppy to death.

Re:What Weev did

[Trepidity]

He was also convicted of conspiracy to distribute those addresses for criminal purposes based on the fact that he... sold them to Russian fraudsters? No: disclosed them to a journalist. I guess the criminal purpose was embarrassing AT&T?

Re:

[MickyTheIdiot]

Look at this very thread.

It's fairly obvious where our values are placed in this country.

Re:

[interkin3tic]

He also broke a gag order. A gag order which sounds like it was intended to bully and bankrupt him into submission.

Just throwing this out there for someone with more legal insight than me: how is it that gag orders are justified when there's not a fear that one of the witnesses is going to get shot by the mob?

Re:

[steelfood]

Which shouldn't be embarassed or threatened because they're extremely helpful to the NSA and FBI in their endeavours.

That's the problem with allowing corporations to cooperate with the government. It ultimately descends into corporatist facism where one is helping to cover the other's ass and vice versa. In the end, it's the people who lose.

Re:

[reimero]

The appeal brief (linked above) is worth a read. There's a lot of legal-ese in there (obviously), but it raises some very serious questions (not the least of which is double jeopardy.) There's also the legitimate question of what constitutes "unauthorized" access. From what I can tell, AT&T used those individualized headers as an authentication/authorization scheme, and relied on security through obscurity. Auernheimer changed the headers and gained access to accounts that were not his. There was n

Re:

[Jane Q. Public]

"There's also the legitimate question of what constitutes "unauthorized" access."

Their first point is the one I feel is most pertinent and carries the most weight: the fact that calling a breach of Terms of Service a "crime" would effectively allow private corporations to write their own laws... something that is very clearly outside not just our Constitution, but our entire historic system of justice, from long before the Constitution was even conceived .

Re:

[Darinbob]

Just because you can get to something without hacking or lockpicking or decryption does not mean it was legal. If I leave my front door unlocked by mistake then it does not mean that anyone can legally come inside and look around. So that part of unauthorized access was illegal, although minor. It's the other stuff he's being charged with that is more pertinent.

Prosecutors love to pile on stuff to earn more points, and that's what seems to be going on here.

Re:

[Xtifr]

Posting something on the public internet, as AT&T did, is not equivalent to keeping it in your living room, so your analogy fails. Badly. It's more like putting things out on the sidewalk in front of your house, and then getting upset because someone came along and looked at the sidewalk, instead of following your instructions to keep their eyes closed until they reached the exact GPS coordinates you sent them.

Penalty too high, and amicus brief silly

[raymorris]

The penalty in this case was too high, even for a repeat offender.

I read the amicus brief with interest and it first it seemed like they had some good points. After thinking about it, I realized their arguments are kind of silly.

Their argument hinges on the idea that Weev couldn't have known that downloading the personal of hundreds of thousands of people was unauthorized. Seriously? They imply that because Weev COULD access it over the web, he thought he was supposed to. His statements afterwards make it

Re:

[davydagger]

in other news, a bunch of teenagers who raped another teenager, bragged about it in a video, and put it on the internet get two years(24 months) in juevinile hall)

http://abcnews.go.com/US/steubenville-football-players-guilty-ohio-rape-trial/story?id=18748493

good job America, way to let the world know you have your priorities right.

Re:

[phantomfive]

Either way, you still probably get less than 41 months for kicking a puppy to death.

FWIW in California you can get 36 months for kicking a puppy to death, unless it's your third strike, then you can get 25 years.

Re:

[ebno-10db]

The law is not supposed to punish the government for doing things we've authorized them to do.

"We"? I know I didn't authorize them to do it. Even if I, or anyone else including the president had, it still doesn't repeal the 4th Amendment.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[mi]

the 4th amendment argument is actually quite weak in this scenario and feels more like you're trying to use something unrelated to get your way

Well, if the 1st Amendment was used to establish a right to sell pornography, then the 4th may as well be used against the government browsing through our electronic records in addition to any tangible personal effects... (And the 2nd, BTW, should allow us to keep and bear any arms, which we can, ahem, "keep and bear" — including the "assault" variety.)

Re:

[Curunir_wolf]

The law is not supposed to punish the government for doing things we've authorized them to do.

I think the jury is still out over whether "we've" authorized them to do what they did or not. The secret court made a secret decision that expanded the original authorization to one that a lot more expansive. I think there is a good argument to be made that they went beyond their authorization.

Be that as it may, the insiders are never held accountable like the rest of us are. Do you think James Clapper will get the same punishment as Martha Stewart?

Stretching the laws for corporations

[sl4shd0rk]

What Weev did was spoof his Browser headers and then send a bogus ID to AT&T's webserver. The dumbasses who wrote and reviewed the code on AT&T's backend were negligent in that they blindly trusted the user input and spit out private information as a result. If that's what the Spec said was supposed to happen, then start climbing the ladder and find out who authorized customer info to be so accessible.

In my mind, the people in charge of code review at AT&T need to be in court answering questions as to what other code they have facing the internet which could be circumvented in a similar way giving away customer info to anyone who can use a common browser plugin and simply change a form variable. This is a clear case of glaring corporate negligence being covered with the Computer Fraud and Abuse Act.

I'm not even sure what the CFAA is supposed to protect, but if it's primary use is to keep people from asking questions about how their private info is stored, and who has access to it, then get rid of it. The only people winning from legislation like that are the ones who would otherwise be sued for negligence.

Re:

[Anonymous Coward]

The only people winning from legislation like that are the ones who would otherwise be sued for negligence.

And who do you think wrote the legislation?

Whenever laws like this are written, it's the corporate interests via their lobbyists who write the laws.

Then said Congressman on that particular corporation's buddy list, then submits the law as his own work.

Being a Congressman is a pretty cushy deal - 6 figure income, other people do your work, you get your ass kissed, travel around for free and get entertained, no worries about what the little people go through and it just goes on ....

If it weren't for the fa

Re:

[Infiniti2000]

Whoa, easy on the vitriol there, bub. Don't let bad design cloud your judgment of the actual case. It matters not how badly the AT&T folks implemented security (or not) on their system. The fact is Weev "stole" it (copied without permission) and then stupidly publicized it. What's more, he "shared it with various interested parties [dailytech.com]."

As far as I'm concerned, anyone calling their group Goatse Security needs to be punished anyway. I'm not interested in trying to explain to my 6yo what the fuck that me

Re:

[hublan]

Whoa, easy on the vitriol there, bub. Don't let bad design cloud your judgment of the actual case. It matters not how badly the AT&T folks implemented security (or not) on their system. The fact is Weev "stole" it (copied without permission) and then stupidly publicized it. What's more, he " shared it with various interested parties [dailytech.com]."

If AT&T had left printouts of highly personal data in a dumpster and someone had found it right there, then I don't think you would've had a problem fingering the culprit. AT&T, right? Dumpster diving would certainly not get someone 41 months in the slammer (e.g California v Greenwood).

In other words, it was right there in the open. Hence, the blame lies squarely with AT&T for not properly securing their customers' private information.

As far as I'm concerned, anyone calling their group Goatse Security needs to be punished anyway. I'm not interested in trying to explain to my 6yo what the fuck that means.

Your obvious lack of parenting skills is not his responsibili

Re:

[tnk1]

Spoofing browser headers to overcome security restrictions, even laughably bad security restrictions, is not the same as dumpster diving. For one thing, it's already been ruled that having stuff in the trash indicates the intent to make that trash freely available to be removed, and as such, anyone can remove all or any part of such and even have it used as evidence against the original owner.

So, the comparison is not appropriate because the intent and the law are strikingly different, even if company's in

Re:

[Infiniti2000]

If AT&T had left printouts of highly personal data in a dumpster and someone had found it right there, then I don't think you would've had a problem fingering the culprit. AT&T, right? Dumpster diving would certainly not get someone 41 months in the slammer (e.g California v Greenwood).

In other words, it was right there in the open. Hence, the blame lies squarely with AT&T for not properly securing their customers' private information.

This is a terrible analogy, and tnk1 has covered most of it. Let me further clarify that most locations for AT&T that I've been to do not maintain their dumpsters outside their curtilage. This would negate the reference to Greenwood v CA. Additionally, I know AT&T regularly uses a shredding company, so any really important stuff (especially for government contracts) goes through that. In any case, I think the better analogy is if I place my wallet on a counter and walk away from it. I say that

Re:Stretching the laws for corporations

[DarkOx]

I'd say ATT published it when they made it available online via webserver with no effective authentication around it.

Re:

[omnichad]

Exactly. He could have used first initials and last names and scrubbed the email address into an SHA-1 hash - enough to prove that he retrieved the list, but not enough to actually stupidly share around customer details.

Re:

[VortexCortex]

As far as I'm concerned, anyone calling their group Goatse Security needs to be punished anyway. I'm not interested in trying to explain to my 6yo what the fuck that means.

Disgusting. And you have no fucking problem with explaining why the &T in AT&T exists?

Fascist scum such as you are the ones who should be punished. Give your kid up for adoption before you destroy them with retarding ideas such as "censorship of nature isn't evil."
The children of the average uneducated natives world wide stand more of a chance at surviving to adulthood with their brains in tact, and they see "violence", "nudity" and even "intestines" just from living day to day and cooking food --

Re:

[Hatta]

The fact is Weev "stole" it (copied without permission) and then stupidly publicized it.

The fact is Weev submitted an HTTP request and got data back. Just like every other HTTP request ever.

As far as I'm concerned, anyone calling their group Goatse Security needs to be punished anyway. I'm not interested in trying to explain to my 6yo what the fuck that means.

Apparently you're not interested in trying to explain to your 6yo what freedom of speech or proportional justice means either.

Re:

[Infiniti2000]

Apparently you're not interested in trying to explain to your 6yo what freedom of speech or proportional justice means either.

That's a stupid response. Do you honestly think the origin of the goatse name is appropriate for 6 year olds? What the fuck does freedom of speech have to do with this? Or, did you seriously fucking think I really mean for him (Weev) to be punished solely on the name of the company? Can't you understand sarcasm? The fact is that Goatse Security is a really stupid name and I hope the company never gets any customers. But, no, he shouldn't do jail time for it.

Re:

[Hatta]

Or, did you seriously fucking think I really mean for him (Weev) to be punished solely on the name of the company?

Why would I not believe that, based on what you said? People believe far stupider things. Many of them are even federal prosecutors.

LOL. Okay, and.....?

[SomePoorSchmuck]

"...not only is Weev's conviction bad law, if upheld, it will destroy independent security research, and perhaps the rest of consumer safety research as well."

Yeah, I'm pretty sure that's the point. What in the world makes them think the government and the mega corps that they've merged with wouldn't want to "destroy independent security research" and "consumer safety research"? You think those federal-corporate cockroaches want you shining a light on their clandestine behind-the-fridge data gorging?

What this really is

[Zontar_Thing_From_Ve]

In reality this is a just a case of the following:
Researcher finds that Joe Blow has gone out of town and left the door to his house unlocked and open. Researcher publishes this information in a blog along with the address to the house. House gets robbed. Police hold Researcher responsible. Researcher insists it's not his fault that the house got robbed.

Yes it really is that simple.

Re:

[abiggerhammer]

By this logic, the developers of pleaserobme.com, which (before they decided they'd made their point and went to an informational site) mashed up Foursquare and Twitter data to determine when people had themselves voluntarily disclosed that they were out of their homes, should also be in prison. In other words, your analogy, along with AC's in reply to you, commit the logical fallacy of proving too much [wikipedia.org].

Re:

[sideslash]

"Stealing" is a poor choice of words to refer to copying information. When you steal from a house, then the owners of the house don't have those possessions anymore. So no, it really is not as simple as your analogy.

Re:

[mi]

Well, if NSA going through your electronic mails — without even touching anything tangible in your house — is a violation of the 4th Amendment, then the distinction you are trying to make regarding copying electronic data is without (much) difference...

Re:

[sideslash]

Why don't you just say he copied the information, my vocab-challenged AC?

Re:

[jedidiah]

> What would be a better word then? He copied information that was not his to copy, accessed by a means not known to the common person.

What he did was actually much simpler than picking a lock.

Attempting to use the "average idiot" standard isn't terribly compelling because that's a moving target. Your claim about the difficulty of this task likely does not hold true across generations.

This "l33t hack" probably a non-Herculean task for many young people just as it seems pretty trivial to any computing pro

Re:

[Trepidity]

No, it isn't really related to that at all. Public-facing web servers, unlike houses, are not by default considered private. The public is expected to and routinely does enter. They are private property, but private property regularly offered to public use. If you require a physical space analogy, sort of like a plaza owned by a corporation, in front of its HQ, which has no fences around it and is regularly accessed by the public.

Re:

[Trepidity]

Yelling numbers in a public square is not exactly forging an ID.

Re:

[interkin3tic]

I don't think in your example that the researcher should be sent to jail. Maybe the homeowners could sue him in a civil suit, but the federal government shouldn't be sending him away for noting that someone left the door unlocked and open.

Re:

[jkflying]

I think a good analogy would be a post office making all its PO boxes open when you knock on them. He opened his box and noticed that they were horribly designed, so then he knocked on all of them and took picture of the contents, which he sent to a local journalist as proof of the poor design that he had discovered.

Sure, what he did was overboard. But having such a poor security mechanism on their mail boxes is most certainly the fault of the post office. He should be blamed for the publicising (unless it

Re:

[b4upoo]

All of the weight of guilt falls upon the criminal. For example if you fail to lock up your bicycle and it is stolen the thief is not less guilty. And if i put it all over youtube that you never lock up your bicycle the thief still bears all of the guilt.

Re:What this really is

[Culture20]

Did he delete the data on AT&T servers? Refine the analogy so the researcher is using a digital camera.

Re:

[JaredOfEuropa]

Event better: "Researcher copies and publishes every document in the house as proof that the door was unlocked". Nothing was removed. I'd say that downloading the data and sharing it in some way with the press was necessary to demonstrate the weakness of AT&T's system, with the caveat that the press should use the data only to verify the claims, not publish them to the general public. His subsequent handling of the affair does merit some punishment though.

What was he actually being punished for; t

Re:

[tnk1]

The home invasion scenario only goes so far. In a trespass situation, your presence in the house is enough to get you convicted, but you may well be able to get away with copies of documents and not face charges. I would believe, however, that such an action would aggravate your trespass, or at best, could be used against you in court as evidence that you were, in fact, in the house.

However, in the case of *consumer data*, there are specific laws about that data while they happen to be in computer systems

Authoritarian governments

[Anonymous Coward]

...will be the first pwned in a cyberwar because fear will have kept their system from ever being tested.

Re:

[jklovanc]

Testing would be getting a few hundred addresses and informing the company of the issue. Weev did much more than that. He got over 114,000 email address over a number of days and sent copies to people he knew were not authorized to have that data. He crossed the line between white hat and black hat. Even the judge stated that had he stopped at a few hundred he would not have been convicted.

Sorry

[damicatz]

I'm finding trouble having sympathy for this guy.

He manipulated URLs to access areas that were not publicly visible. The information that he gleaned by manipulating these URLs was information that any reasonable person would deduce as information AT&T did not intent to make public. Rather than informing AT&T about the vulnerability, he went to Gawker and leaked the information that he gained, victimizing all of those people in the process. Just because someone leaves a door unlocked or open does not give you the right to go in and steal stuff and this is no different. Mens rea is *everything* here; if he had just gone to AT&T or acted responsibly in the disclosure, rather than trolling, he would most likely have never been charged.

As far as the prison sentence goes, he brought that on himself as well. It is *beyond* stupid to swear at a federal judge and call her a "mean bitch" when she is the one that is sentencing you. It is *beyond* stupid to go on a public forum and post that you intent to commit the same crimes again once you get out of prison. Do not complain when you get the book thrown at you after you try to turn the courtroom and the trial into a three-ring circus. Trolling a federal judge is never a good idea.

There is also the matter of his past history. I have not forgotten about what he did to Kathy Sierra or the other women that he made rape threats against. Or the "GNAA". His entire life has been dedicated to griefing people and generally being an asshole and yeah, the judge is going to look at that.

Re:Sorry

[CanHasDIY]

As far as the prison sentence goes, he brought that on himself as well. It is *beyond* stupid to swear at a federal judge and call her a "mean bitch" when she is the one that is sentencing you. It is *beyond* stupid to go on a public forum and post that you intent to commit the same crimes again once you get out of prison. Do not complain when you get the book thrown at you after you try to turn the courtroom and the trial into a three-ring circus. Trolling a federal judge is never a good idea.

Yea, it's not like the people who came up with the idea for this country made it the law that every citizen has a right to bitch to and about government agents, right?

Oh, wait... [wikipedia.org]

You know, it's a sad day in America when the exercise of our civil liberties is colloquially considered to be a "stupid" action...

Re:

[damicatz]

You have the right to free speech. That doesn't mean you have immunity from the consequences of your speech. If you go around telling everyone, during sentencing, that you are going to go and commit the same crime again (regardless of whether you agree it should be a crime or not), the judge is absolutely going to take that into account during sentencing because it indicates a high probability that the person will do the same thing again.

Re:

[CanHasDIY]

You have the right to free speech. That doesn't mean you have immunity from the consequences of your speech.

When it comes to speech about the government, you're supposed to have immunity.

That's kinda the whole fucking point; they aren't really civil liberties if you can be punished by the government by exercising them.

Re:

[damicatz]

The problem is, that simply isn't how it works and it has never worked that way.

For example, there is something called the reasonable time and place restriction. If you try to hold a protest in front of the White House at 2am in the morning, you absolutely will be forced away by the police and them doing such is perfectly constitutional. The same goes for a courtroom; you cannot act out in court. If you disagree with a judge, the appropriate process is to appeal that decision. And, furthermore, things yo

Re:

[CanHasDIY]

For example, there is something called the reasonable time and place restriction.

[citation needed], as from what I see:

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

No such distinction is made; or perhaps 'shall make no law' and 'abridging' has a different meaning in the parallel universe you inhabit?

Don't even bother with any of that 'legal precedent' nonsense, e

Re:

[damicatz]

Citation? No problem.

http://legal-dictionary.thefreedictionary.com/Time,+Place,+and+Manner+Restrictions [thefreedictionary.com]

Re:

[CanHasDIY]

Citation? No problem.

http://legal-dictionary.thefreedictionary.com/Time,+Place,+and+Manner+Restrictions [thefreedictionary.com]

While technically correct (in the bureaucratic-red-tape-nightmare sense), nothing in the link you posted indicates that is is legal or right to give a citizen a harsher sentence for expressing their right to free speech, TPM restrictions notwithstanding. Any judge giving the defendant a longer sentence solely because said defendent pissed her off (with harmless words, mind you) is an affront to the idea of justice, no matter how you try to spin it.

Also, I noticed you've decided to not respond to the rest of

Re:

[damicatz]

Amongst other things, judges base sentences on the defendants remorse, or lack thereof, as well as their prior criminal history, motivations, and how likely they are to re-offend. This is not an anti-liberty position for his speech was never restricted; no one stopped him from being an idiot on Reddit and he is not being charged with a crime or harassed for what he said. But the judge absolutely has every right to use that when determining whether he is likely to offend (I needn't remind you about the bit

Re:

[Nemyst]

Wait, you do realize your free speech right only means you have the right to say it, right? It doesn't shield you from the consequences of saying it. The guy was indeed allowed to say it, and wasn't necessarily punished for it, but in any normal society being an asshole isn't going to positively influence the people around you. You can still do it, but don't whine about the consequences.

Re:

[adri]

Actually, re-read what the right of free speech in the united states means. Then please re-evaluate your statement.

Re:

[CanHasDIY]

Actually, re-read what the right of free speech in the united states means. Then please re-evaluate your statement.

Yea, this.

Contrary to modern ideology, freedom of speech has absolutely nothing to do with the right to blast everyone around you with ads and crappy music, but rather references our natural right to bitch about the government without having to fear repercussions.... like, say, being given an extended prison sentence because you mouthed off to a government agent.

Weev should sue that mean bitch for civil rights violations, maybe even get her Constitutionally-ignorant ass barred from the bench.

Re:

[Glarimore]

You do realize that the whole point of "Free Speech" is that is DOES shield you from consequences of your speech that would come from the GOVERNMENT. You know, like extra jail time?!

Re:

[CanHasDIY]

A human element comes into play with law enforcement, as in many other areas of our lives. If you drive by a cop, roll down your window, and say, "GOOOD AFTERNOON Pole-eece ossifer!" there's a high likelihood that you'll be pulled over and busted for a minor traffic or safety violation.

Which is a gross violation of your civil liberties, an act that you and every bystander in earshot should actively protest to that pig's face.

We won't have any rights before long, if pussified bitches (like some of the respondents here) won't grow the balls necessary to defend them.

Re:

[Trepidity]

I agree trolling a federal judge is not a good idea, but that doesn't really excuse the judge inventing a sentence outside the federal sentencing guidelines based on a flimsy justification. Damages still have to be computed in a legitimate manner, and the judge is still restricted by the sentencing guidelines, even if they hate the defendant.

Re:

[ameen.ross]

But, but, she was really angry!

Re:Sorry

[thoriumbr]

Let's pretend you have a million bucks on some bank (do you have, don't you?). The bank says it will protect your money with their lives, and everything is secure. Someday you hear that one researcher (or troll, or terrorist) went to the parking next to the bank, started a sniffer, and discovered that your bank uses unencrypted WIFI networks, so he added a private IP address to its network card and could access all bank servers and read data from any account.
Who would you blame? The bank or the guy?

I still think that Weev is not a saint, but AT&T is to be blamed here. AT&T had to get a hefty fine for gross negligence, putting hundreds of thousands of customers in danger. Weev must be fined too, but serving 41 months of jail time is too much, IMHO.

Re:

[damicatz]

Both. What AT&T did was stupid and inexcusable from a security standpoint but that doesn't make exploiting it right. As I said, I would have more sympathy if he were a legitimate security researcher who tried to go through the proper channels. As it stands, he is nothing but a troll that has devoted his entire life to making other people miserable and he finally trolled one person too many.

Re:

[newcastlejon]

...
Who would you blame? The bank or the guy?

Both of them. It needn't be an either-or. The guy shouldn't be messing around with the bank's systems, and the bank shouldn't make it so easy for him to do so.

Re:

[jklovanc]

Why do people stop at the initial act when describing what Weev did. Yes, he found a security hole. That is a laudable thing. He then repeated the attempt several hundred thousand time; succeeding over 114,000 times. He then sent the list to several insecure people and organizations. As the judge stated, had he stopped at a few hundred he would never have been convicted. He started out white hat but went far over the line into black hat when he attempted so many times and published the results.

Re:Sorry

[interkin3tic]

Unfortunately, now there's a precedent for sending the next whistleblower to prison, even if said next whistleblower was a saint.

I suppose that probably would have happened anyway, since somehow companies think that a scapegoat will distract from their security lapses.

Re:

[jklovanc]

Actually the precedent is unclear as the judge stated that had Weev stopped at a few hundred email address he would not have been convicted. In fact it may be a precedent in the other direction as the data breach was very large in this case and, with the judge's comment, small data breaches may be protected as testing.

Re:

[c]

if he had just gone to AT&T or acted responsibly in the disclosure, rather than trolling, he would most likely have never been charged.

I tend to agree with most of what you wrote, except that.

It's been shown time and time again that when it comes to reporting security issues, large corporations like AT&T have a very strong "shoot the messenger" tendency. Unless you can do it anonymously, reporting a disclosure to them is almost certain to get you charged.

Re:

[jklovanc]

Even if he was charged the judge said he would have benn found not guilty if he had stopped at a few hundred successes instead of 114,000 and publishing the results.

Re:

[Glarimore]

He went to Gawker and leaked the information that he gained, victimizing all of those people in the process. Just because someone leaves a door unlocked or open does not give you the right to go in and steal stuff and this is no different.

A door being unlocked doesn't obligate you to inform the owner of the door, nor does is there any reason you can't tell someone else about it.

It is *beyond* stupid to swear at a federal judge and call her a "mean bitch" when she is the one that is sentencing you.

I think that, like with police officers, it is up to a judge to be the "bigger man" and realize that although it is rude, being a dick isn't something someone should get jail time for.

It is *beyond* stupid to go on a public forum and post that you intent to commit the same crimes again once you get out of prison.

It is stupid, but if the "crimes" that landed him in jail should not have lead him to be serving jail time to begin with, I think he has reason to make a big, public hub bub about it. Th

Re:

[jedidiah]

> I'm finding trouble having sympathy for this guy.
>
> He manipulated URLs to access areas that were not publicly visible.

Which really only puts him at the "not suffering from downs syndrome" level of intelligence.

It's a public server. Permission is implicit in the fact that something is world readable. That is what those permissions are for.

Abusing trespass laws to prosecute people that enter public places is just Fascist nonsense.

Re:

[VortexCortex]

I'm finding trouble having sympathy for this guy.

He manipulated URLs to access areas that were not publicly visible. The information that he gleaned by manipulating these URLs was information that any reasonable person would deduce as information AT&T did not intent to make public.

So, you would rather live in a world where if you see a huge hole in the side of your bank's vault, leading out into an alley, you'll be thrown in jail if you tell a sole about it? Tell me, did your education include children's books such as The Emperor's New Clothes, or are you a complete fucking moron? I'd much rather be told I'm naked and have no security, and force the fuckers to fix the issue, than to wait till I'm actually exploited to find out.

Were I him, I wouldn't want sympathy from fools li

Re:

[oxdas]

He manipulated URLs to access areas that were not publicly visible

They were on public facing servers without any authentication. That is about as "publicly visible" as it gets. He is a stupid, unsympathetic man, but that doesn't change the facts of the case. AT&T left this information on a public server. A home is terrible analogy for a public server. It is more like AT&T left the paper copies of their customer data in a corner the public lobby of their building (that they intended to be private but had not put up any signs or walls, etc) and he saw them and

Re:

[Xtifr]

I'm finding trouble having sympathy for this guy.

I have absolutely no sympathy for the guy, yet I still think that accessing a public website should not be illegal. Which, unfortunately, is what they're trying to convict the asshole for. If being a jerkwad were a crime, there would be a whole lot more people in prison. But it is not, at least yet, actually a crime.

The question here is not, is this jerk sympathetic (he's not). The question is, should accessing a public website be considered a crime simply because the owner neglected to publicize the addres

Re:

[damicatz]

Yes.

http://www.nytimes.com/2008/08/03/magazine/03trolls-t.html?pagewanted=all&_r=0 [nytimes.com]

Re:

[Charliemopps]

Ok, that link should be at the top of this discussion. After reading that I've no interest in seeing him get out of jail.

Re:

[tnk1]

Wow. Reading that article was a little bit of a shock. I always assume that the 4channers are actually fairly normal in-person, or they are like 13 year old boys. It is only the internet that lets them really go bananas.

This guy is pretty much living /b/ in real life. I'm surprised they bothered to arrest him instead of simply ordering a drone strike.

Two words: RESPONSIBLE DISCLOSURE

[MobyDisk]

RESPONSIBLE DISCLOSURE! RESPONSIBLE DISCLOSURE! RESPONSIBLE DISCLOSURE!

We need a law that states what is legally protected responsible vulnerability disclosure. Something that says "If you do it this way you are not a criminal." Something like:

1) Notify the responsible organization.
2) Give them X days.
3) After that, you may optionally notify a responsible government agency or industry organization like CERT.
4) Give them X days.
5) After that, you may go public with the information.
etc.

Anyone in the security industry should already know to do this, but a law would make it clear.

Re:

[idontgno]

But we already have a law [wikipedia.org] that accomplishes the intents and purposes of the only ones who matter: corporations.

In their mindset, there's no such thing as responsible disclosure. Any disclosure damages them and must be prevented and, if necessary, strongly punished. That way they can continue being incompetent and insecure (and save lots of money, so more profits for everyone who matters), and anyone who tries to uncover vulnerabilities will be treated as the anti-profit criminal worm they obviously are.

The

would be good to clarify criminal hacking vs. test

[raymorris]

It would be good for everyone to have it very clear where the line is. I have my name on some CVEs, so I qualify as a "security researcher", I suppose. Also, I'm paid to protect my client's systems, so I understand the costs of criminal hacking. I see both sides and from my perspective it would be good to know that I'm protected from frivolous prosecution if I follow responsible disclosure practices, while not giving a free pass to the criminals attacking us.

We have to be careful though - DMCA was designe

The brief missed a useful use case

[Anonymous Coward]

The brief describes how a web request is like asking a librarian for a book.
    If the book is non-public she then asks for credentials and if they are ok gives you the book.
        Since the ATT's web server didn't ask for credentials, the web pages were fair game.

This misses another use case.
    It is also possible to include your credentials with the request for the book.
        A librarian would respond to this request for private data just like a request for public data.
          The included credentials could be a big, secure random number, or an obvious small number like the record number.

In some cases a web site uses a simple record number for public data so that a user can access it by providing the record number.
    In this case AT&T used a simple record number for private data which they did not want accessed.

One could argue that they 'locked' the data, but with a cheap lock.
    The thing is, one can recognize a physical lock and know to respect it.
          In this case the web server provided no indication that the data was private.
                In fact, as the brief outlines, it indicated the reverse.

From their reactions, both AT&T and the security guy knew the information contained in the data should not have been public
      The security guy did not benefit for the data, but rather published the problem so it would get fixed
            (Without this, good guys might have walked by this 'lock' but how many bad guys quietly didn't?)
      AT&T reacted to 'kill the messenger' by declaring after the fact that the data was private.

It doesn't seem good law to allow this to stand.
        1) It removes the feedback which closed the security hole.
        2) It allows the server owner to escape responsibility for a poor (perhaps dangerous) design.
        3) It makes it impossible to draw the line for 'normal' versus 'criminal' web browsing for us all.
        4) It leaves a generally harmless guy in jail for violating an after the fact business rule.

Re:

[abiggerhammer]

How is the record number a credential? The record number refers to the item to be retrieved. Using the record number as a credential (sent with the request or not) is terrible design -- you're literally saying that the credential to retrieve the record is the same as the identifier of the record, which reduces to an unauthenticated GET request. This isn't even one-factor authentication, it's no-factor authentication.

Re:

[Zero__Kelvin]

That is some of the worst poetry I have ever read.

Bad poetry? Not even mildly awful.

[zooblethorpe]

The brief describes how a web request is like asking a librarian for a book.

That doesn't hold a candle to truly bad poetry. Allow me to remind you:

Oh freddled gruntbuggly,
thy micturations are to me
as plurdled gabbleblotchits on a lurgid bee.

Groop I implore thee, my foonting turlingdromes. And hooptiously drangle me with crinkly bindlewurdles,
Or I will rend thee in the gobberwarts with my blurglecruncheon, see if I don't!

And hey, let's not forget that Terran master's work:

The dead swans lay in the stagn

This law is broken.

[hessian]

AT&T wants us to believe that because their website was so insecure that feeding it sequential data would reveal private customer information, the problem can be solved by throwing the "hacker" -- who notified them immediately and did not leak the customer information -- into jail.

Yeah, right. The overseas hackers aren't going to even care that much. They'll take your information, use it to rob you blind, and presumably AT&T will cover it up, since their response has not been to address the actual p

if your car is unlocked, stealing your stereo is o

[raymorris]

So by your thinking, if you leave your car unlocked, which is a dumb thing to do security-wise, it's okay for someone to steal your stereo?

Sure, a programmer or two at AT&T did something dumb.
That's orthogonal to what Weev did.

In fact, by your logic, if a 16 year old girl walks down a dark street at night (failing to have proper security), the rapist has done nothing wrong. After all, she should have had better security . Perhaps she should have, but that doesn't make it okay to victimize someone

Re:LOL

[sideslash]

If you read those comments in a hostile light, then sure, then it looks like he's up to no good. But just from those snippets, it's ambiguous. As far as the phishing thing, how the heck do you think a security researcher would describe the importance of a vulnerability discovery? It appears that Weev had no intent to use the data maliciously, he just exposed AT&T's wrongdoing to the world. Do you have any evidence otherwise?

Re:

[martyros]

And as the brief actually points out, a person's beliefs about whether what he did was illegal or not are completely irrelevant to whether or not a crime was actually committed. If what you did was illegal, you are punished even if you believe it to be legal; but the converse holds true as well -- if what you did was legal, you should not be punished, even if you believed that it was illegal.

Re:

[CountBrass]

Sorry but your wrong.

For some, but by no means all, laws intent to break it is an important factor.

Re:LOL

[thoriumbr]

No, Weev is not an independent security researcher, he is a troll. BUT he used the same tools the researchers uses. It's like passing a law outlawing the use of lockpicks. Surely all thieves would be affected, but it would affect locksmiths too.
If Weev loses the appeal, the traffic on full-disclosure mailing list will drop a lot. If I discover a bug on Paypal website that allows anyone to access a third party's account, and I inform Paypal, I would be guilty.
Even Weev being a troll and thinking on making profits over the AT&T mistake, the problem is shifting the blame for exposing the innocent victims from AT&T to Weev. The way this is going, looks like AT&T did everything right, responsible, blameless, and a evil hacker with super-human powers hacked their NSA-grade secured servers and stole the data, when what really happened was that AT&T didn't even bothered to protect the data in any way.

Re:

[jklovanc]

If Weev loses the appeal, the traffic on full-disclosure mailing list will drop a lot. If I discover a bug on Paypal website that allows anyone to access a third party's account, and I inform Paypal, I would be guilty.

If I discover a bug on Paypal website that allows anyone to access a third party's account, succeeded over 114,000 times over a number of days, made the information public, and I inform Paypal,

FTFY. The issue is not what he did but how many times he did it. The judge in the case even said that he would not have been convicted if he had stopped at a few hundred examples to prove the vulnerability. The volume of what he did crossed the line between white hat and black hat hacking.

Re:

[stenvar]

Downloading so many addresses may well have been necessary to demonstrate the seriousness of the problem. He could have gotten a list of a few hundred examples simply by doing Google searches and crawls; it would have been meaningless.

Re:

[jklovanc]

Untrue. All he had to do was show the URLs he used to get each address and how the URLs could be changed to get more data. The company would have been able to hit those URLs and confirm that is where the data came from. That would have made it clear that there was a big issue.

He may have been able to get the email addresses from somewhere else but the evidence of the URLs is overwhelming.

Re:

[stenvar]

You don't seriously believe most journalists are capable of doing that sort of thing?

Re:

[jklovanc]

Weev didn't even report the vulnerability to the company before going to the press. Weev also knows of many tech savvy journalists to report it His motivation was to do the most damage possible and get his name in the news. Fixing the issue was not even on his radar.

Re:

[stenvar]

I don't think he had any obligation to notify them. Computer crime should require circumvention of at least some access control. If a company puts private data on the Internet without access control, the company should be fully liable for all consequences of their actions.

Re:

[jklovanc]

The URL contained the identifier for the phone. Weev fraudulently identified himself as the owner of a phone that was not actually his. He continued to extract information he knew he should not have and then published it. He did not have an obligation to notify the company but he did have an obligation to not send out copies of confidential information that he knew he shouldn't have in the first place. A white hat would notify the company. A black hat would publish the information. Weev did the latter and i

Re:

[stenvar]

A necessary condition for a computer crime should be the evasion of some access control. Identifiers are not an access control measure. The principle you espouse, namely that people have an obligation to keep confidential information of third parties confidential, is a bad one. If we adopted that, everybody constantly would have to second guess whether some piece of information might be confidential or not.

A white hat would notify the company. A black hat would publish the information. Weev did the latter a

Re:

[jklovanc]

If we adopted that, everybody constantly would have to second guess whether some piece of information might be confidential or not.

The crux of the matter is the fact that Weev knew the information was confidential but published it anyway. It is not a grey area whether or not the information was confidential. There is a big difference between finding something on a sidewalk and brute forcing millions of ID possibilities at a server. Weev knew what he was doing was illegal and is not trying to hide behind legitimate security researchers. He could have done it the right way but he decided he wanted the publicity and did it the wrong way.

Re:

[stenvar]

The crux of the matter is the fact that Weev knew the information was confidential but published it anyway.

What he "knew" shouldn't be relevant. What should be relevant is whether he had a contractual obligation to keep the data private or confidential.

There is a big difference between finding something on a sidewalk and brute forcing millions of ID possibilities at a server

There won't be when people like you are done.

and is not trying to hide behind legitimate security researchers. He could have done it th