Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

41 Months In Prison For Man Who Leaked AT&T iPad Email Addresses

Soulskill posted about a year ago | from the looked-at-a-poster-and-told-somebody-about-it dept.

AT&T 459

In 2010, querying a public AT&T database yielded over 114,000 email address for iPad owners who were subscribed to the carrier. One of the people who found these emails, Andrew 'weev' Auernheimer, sent them to a news site to publicize AT&T's security flaw. He later ended up in court for his actions. Auernheimer was found guilty, and today he was sentenced to 41 months in prison. 'Following his release from prison, Auernheimer will be subject to three years of supervised release. Auernheimer and co-defendant Daniel Spitler were also ordered to pay $73,000 in restitution to AT&T. (Spitler pled guilty in 2011.) The pre-sentencing report prepared by prosecutors recommended four years in federal prison for Auernheimer.' A journalist watching the sentencing said, 'I felt like I was watching a witch trial as prosecutors admitted they didn't understand computers.'

cancel ×

459 comments

Good (4, Insightful)

kamapuaa (555446) | about a year ago | (#43204821)

Know I'll get modded down for going against Slashdot groupthink. But what is the argument suggesting? "It all happened on a computer, it shouldn't be prosecuted?" Stealing private information and releasing in publicly isn't just obviously illegal, it caused grief for 114,000 people.

Even if AT&T has a shitty security system, that doesn't make it legal to break in. I'd love to see Slashdot do more mundane crimes. Maybe the home had a sign saying "beware of dog," but the dog was actually at the vet, so the robber was just publicizing a security flaw.

Re:Good (5, Insightful)

1729 (581437) | about a year ago | (#43204911)

He didn't "break in". He sent requests to a publicly-accessible web server, and AT&T sent back private information. This wasn't hacking, or even a DOS attack. AT&T is at fault here.

Re:Good (5, Insightful)

Anonymous Coward | about a year ago | (#43205015)

That. It's a flaw that AT&T never would have addressed without public pressure. Further, Mr. Auernheimer did not release private info to the public -- the news agency to which he released the then already-public information is responsible for further publicizing it.

Bottom line: it is ludicrous-speed absurd to prosecute somebody for publicizing already public information. If a newspaper accidentally prints the names and addresses of its entire subscriber base in the classifieds, and I call them to report it, can I then be held accountable for "releasing" the information?

Re:Good (0, Troll)

Synerg1y (2169962) | about a year ago | (#43205313)

1. Popular or not I feel he deserved what he got for linking himself to the leak, he could've just as easily leaked it anonymously, I'm willing to bet the prosecutions main argument wasn't about the poor users, but at&t's hurt reputation.

2. It sounds like he needed a better lawyer to explain the public availability of the database, but that yields a more interesting question: in the case of IT incompetency, is it the hacker's fault for taking the public information, or the IT's dept fault for exposing it? Sounds like more of a moral question than a legal one. But to simplify things, say I left a pile of gold in the street, I can't have any expectation it'll be there tomorrow, the streets not mine, but say I left it in my yard, and it's unfenced, to get it, you have to trespass + it's on my property. That's what this guy did, he trespassed and took it, but he took it through a public API, so it could be argued he didn't know any better, but when he went to publish it... that's where the headlines comes into place.

Re:Good (3, Interesting)

coniferous (1058330) | about a year ago | (#43205023)

Actually, they are both at fault here.
I don't see a huge effort by Andrew to contact AT&T and say "uh, guys, you have a huge problem here".
It's very easy to percieve his actions in a malicious way.
Not that AT&T didn't goof, but this was the wrong way to address it.

Re:Good (4, Insightful)

1729 (581437) | about a year ago | (#43205101)

Nearly everything Weev does is malicious, but the question is: is it (or should it be) illegal? He was convicted of identity fraud and "conspiracy to access a computer without authorization". Think about that: requesting unprotected publicly-accessible webpages is "access[ing]" a computer without authorization". By that standard, anyone who uses the internet could be convicted of a crime.

Re:Good (2, Insightful)

coniferous (1058330) | about a year ago | (#43205273)

Based on the context it was more then just accessing publicly available data. It's not as if he clicked on an link and went "Oh, look, a bunch oh e-mail addresses!". There was effort involved into getting to that list.

That being said, even if he did run into a bunch of e-mail addresses by being in the wrong place at the wrong time.. e-mailing that list to someone and going "OMG LOOK AT THIS" was proof that he knew the seriousness of the list he found. It cannot be argued that he did not know what he was doing.

Re:Good (0)

Anonymous Coward | about a year ago | (#43205289)

Nearly everything Weev does is malicious, but the question is: is it (or should it be) illegal? He was convicted of identity fraud and "conspiracy to access a computer without authorization". Think about that: requesting unprotected publicly-accessible webpages is "access[ing]" a computer without authorization". By that standard, anyone who uses the internet could be convicted of a crime.

Isn't a key element of the legal case that he also retransmitted the private information? He did not merely receive it.

Re:Good (1)

Psyborgue (699890) | about a year ago | (#43205323)

And would AT&T do anything about it? What about the next security hole? Public embarrassment does a lot more to cause the necessary heads to roll than trying to do AT&T's jobs for them. They were incompetent and irresponsible with customer data and as far as i'm concerned, handing the data to the press was the absolute right call. How else to punish and teach?

Re:Good (2, Insightful)

jxander (2605655) | about a year ago | (#43205061)

Meatspace analogy :

If a bank didn't have a door on it's vault, or any forms of security whatsoever, would you walk in and take out all the money? Even if you proceeded directly to the local police department to report the security flaw and deliver the unguarded money, you'd find yourself in quite a bit of trouble.

Re:Good (2)

jd659 (2730387) | about a year ago | (#43205117)

A better analogy: A bank has a web server that takes person's name and returns that person's SSN. A "hacker" sends your username and gets your SSN. He does that for several people from the phone directory. Hacker goes to prison for the BANK'S FAULT of exposing SSNs.

Re:Good (0)

Anonymous Coward | about a year ago | (#43205255)

A better analogy: A bank has a web server that takes person's name and returns that person's SSN. A "hacker" sends your username and gets your SSN. He does that for several people from the phone directory. Hacker goes to prison for the BANK'S FAULT of exposing SSNs.

No that is a poor analogy. It omits the part where the hacker sends the SSNs to a 3rd party. The hacker did not merely receive private information, he retransmitted it too.

Re:Good (1)

cide1 (126814) | about a year ago | (#43205121)

He didn't walk into the bank vault, the bank vault threw money at him, and he didn't throw it back. Very big difference.

Re:Good (0)

Anonymous Coward | about a year ago | (#43205209)

No, not so much. You could go to jail for that [go.com] , too, as one guy who recently did the right thing [go.com] learned after an ATM spit money out at him.

Re:Good (0)

Anonymous Coward | about a year ago | (#43205233)

He didn't walk into the bank vault, the bank vault threw money at him, and he didn't throw it back. Very big difference.

That does not seem an accurate characterization of events. Perhaps the vault through money at him and then he threw money to a 3rd party. That last bit about passing private info to a 3rd party is critical.

Re:Good (0)

Anonymous Coward | about a year ago | (#43205263)

He didn't walk into the bank vault, the bank vault threw money at him, and he didn't throw it back. Very big difference.

A few things: he sent the requests in to get the data, it's not like a DVD with the data was mistakenly delivered to him. Distributing the results was also certainly an elective decision - if he wanted to he could have embarrassed AT&T's over their crappy security without harming their customers. And lastly, in many countries if a bank does mistakenly give you money, you can't appropriate it for your own use without breaking the law. You don't have to put particular effort into giving it back, but if you spend it and the jury knows you can't possibly have thought it was your own money (so you might get away with $100, but not $50,000) you will be going to jail.

Re:Good (4, Interesting)

BitZtream (692029) | about a year ago | (#43205331)

No, he made explicit requests for information using trial and error and reverse engineering to find a location that would divulge sensitive information to him.

It didn't throw shit at him, he went digging for it.

Re:Good (4, Insightful)

1729 (581437) | about a year ago | (#43205135)

Meatspace analogy :

If a bank didn't have a door on it's vault, or any forms of security whatsoever, would you walk in and take out all the money? Even if you proceeded directly to the local police department to report the security flaw and deliver the unguarded money, you'd find yourself in quite a bit of trouble.

Here's a better analogy: you send the bank self-addressed stamped envelopes, and they willingly send private information about their clients back to you in those envelopes.

Re:Good (0)

Anonymous Coward | about a year ago | (#43205139)

The vault's entrance would have to be on the outside of the building. It would be inside if they had any sort of authentication system.

Re:Good (0)

Anonymous Coward | about a year ago | (#43205169)

No, because the vault is inside the bank, which itself has doors and armed guards. If the vault door was on the outside of the building, and money just poured out of it whenever you asked, I would think that the bank and the police, not to mention the customers, would be somewhat grateful to you for pointing that fact out.

Re:Good (1)

MiniMike (234881) | about a year ago | (#43205219)

Not a good analogy, as AT&T didn't lose their database, just exclusivity of it (i.e. now everyone else also has it). A better meatspace analogy might be if a store employee left open a door to an office, and someone walking by took pictures of next weeks sale items (which stores typically don't want released early) and sent that info to a newspaper. The store has not lost any items, just the info about them.

Re:Good (0)

Anonymous Coward | about a year ago | (#43205285)

Your analogy is completely wrong. First money wasn't taken it was information, more importantly it isn't an unlocked door, it is the bank actively giving away information.

A closer analogy would be walking into your bank and asking them who owns account X and the bank giving you their personal information. Then you ask for account X+1 and so forth until X+120,000 and the bank gladly telling you. The then go to the media and tell them that the bank is sharing all this personal information with anyone who walks in and asks. Then the bank sends you to jail for "hacking" them.

Re:Good (1)

Anonymous Coward | about a year ago | (#43205109)

It's his actions after breaking in [arstechnica.com] that are being punished. They knew what they were doing was wrong, and could've easily alerted AT&T and the press without harvesting thousands of records.

Re:Good (0)

Anonymous Coward | about a year ago | (#43205251)

If you can walk into a walmart, and walk out with some merchandise without paying for it, whether or not Walmart's security stops you, you have still committed a crime.

Just because there's something that is not guarded does not mean you can go screw around.

Re:Good (4, Insightful)

malakai (136531) | about a year ago | (#43205315)

First off, the whole reason these guys got whacked by the judge is because they did the standard script-kid thing and went onto IRC and boasted about it, and talk about how they were going to take down AT&T, and make a name for their security company ( Goatse Security, obvious play on goat sex troll )

He didn't "break in". He sent requests to a publicly-accessible web server, and AT&T sent back private information. This wasn't hacking, or even a DOS attack. AT&T is at fault here.

By that rationale, any request on a web server via the HTTP GET or POST that could escalate privilege or divulge private data should go unpunished. You realize the number of vulnerabilities accessible via a well crafted GET URL? XSS, SQL Injection, tons of stuff. Ignore the fact HTTP is even involved here. This is no different than finding a weakness at any other level of the OSI model, the fact people can easily understand HTTP GET's doesn't make them any less serious and dangerous to an attacker.

Honestly, this has been argued over the Ping of Death back in the day. I mean, your simply sending an ICMP packet via a ping command, it's not like your hacking.

In the end it's about context. Exploiting a weakness is by definition hacking. Just because the hack isn't enigmatic, doesn't mean it's not a hack. Look at Jon Draper and a plastic whistle that happened to hit 2600hz easily.

"But it's just a guy blowing a whistle into a phone, it's not hacking".

These guys crafted a specific HTTP GET request that returned private data. The key in this request was generated by them based off a known flaw in ATT's systems (using ICC-ID as a semi private key). Then they shared that data with a news organization.

Sure, those of us in the industry can shake our head at how stupid AT&T was, but at the same time most of us recognize the line these two guys crossed. It's one thing to send an e-mail to AT&T and copy a security mailing list with a simple example, it's another to write a program and automate the extraction of over 120k e-mails and then package the data and send it to Gawker, while boasting about it on IRC channels.

Auernheimer likened his actions to walking down the street and writing down the physical addresses of buildings, only to be charged with identity theft.

I could make the same argument for randomly trying passwords against accounts. "I'm just checking to see if this key happens to work in this door...."

Can't agree (0)

Anonymous Coward | about a year ago | (#43205335)

41 months for this class of crime makes this a witch hunt. Legal system: fail.

That said, he didn't behave appropriately. When I found a $20 pasted up against the side of my house, I knew which neighbor's driveway it blew out of, and I returned it to them.

Under the law: They did not protect their $20 properly from wind, it was on my property, it had no owner name written on it. It could conceivably have come from another property behind my neighbors and blown through their property....

In reality, any one of my neighbors would return any property that wasn't theirs to the rightful owner without asking. The only excuse for keeping it would be to have given returning it a reasonable try and failed.

Andrew failed the decent neighbor test. If he had a string of e-mails to AT&T showing they were not responsive to the security flaw, and he had asked a list of volunteers if he could ferret our their ipad data from the website as a test, he would have a good case...

But he didin't contact AT&T first, he showed off his 'leet skills, and snagged data about non-volunteers. Neighbor fail. I think the first 3 of his 41 months in jail are quite appropriate.

Re:Good (0)

Anonymous Coward | about a year ago | (#43205351)

He didn't "break in". He sent requests to a publicly-accessible web server, and AT&T sent back private information.

Like sending "requests" to a publicly-accessible ATM using cards with other people's information on them, and then taking the money the bank "willingly" gives you.

Yeah, I totally see the difference between that and "breaking in" to an ATM.

Re:Good (4, Insightful)

MetalliQaZ (539913) | about a year ago | (#43204937)

AT&T publishes the addresses on the web, even though they aren't advertised, they are essentially free to anyone who knows where to look.

Guy finds it, attempts to blow the whistle

Guy is criminal, AT&T takes no liability

Justice!

Re:Good (0)

Anonymous Coward | about a year ago | (#43205083)

If by "attempts to to blow the whistle" you mean shares the flaw with other groups and never contacts AT&T, then ya, sure, this guy is gettin screwed.

Re:Good (4, Interesting)

hazah (807503) | about a year ago | (#43205277)

What did AT&T get fined?

Re:Good (5, Insightful)

Mullen (14656) | about a year ago | (#43204977)

As someone else pointed out, all he did was request data from a public server and AT&T sent it to him. Also, he got 41 months for forwarding 114,000 email addresses to news site, which is overkill. Had he physically broke into an AT&T office and took the email addresses from someone's desk, he would have received less prison time.

He should have been given community service at the most, and then got an award for exposing a flaw from AT&T.

Re:Good (0)

Anonymous Coward | about a year ago | (#43205387)

How about the community service of checking AT&T's website for private data leaks.

Ohh, wait...

Re:Good (0)

onix (990980) | about a year ago | (#43205001)

Let's live in ignorance. Why don't we, it's such bliss. Point out constructive suggestions, try to be proactive, try to go through the right channels -- only to get shot down. "Shut up", "You're disrupting", "You are a nuisance", "Go away", they say... Go the only way you know how to get recognized (sadly, a last recourse), and get incarcerated. Justice in a dogmatic world.

Re:Good (1)

Midnight_Falcon (2432802) | about a year ago | (#43205007)

You're missing some things here:

The Principle of "Full Disclosure" -- Meaning, companies often don't fix vulnerabilities in a timely fashion until the risk is exposed by making the vulnerability public. This principle has been important in the history of and current landscape of information security, and many people think its effects have been a net benefit.

Harm -- how were these people exactly harmed by having their email addresses revealed? If someone posted my email and iPad MAC on a web site, would I be so upset I'd want him to go to jail for multiple years..family not have income, kids not see their father, over that?

Profit -- Really, these people did it for the reputation and points amongst the hacker community -- once a noble endeavor that drove the United State's technological evolution (how much did Wozniak do just to get points among his friends?) -- now something that can apparently be risky business.

It's easy to see, especially in the aftermath of the Swartz case, that four years in jail for this rather petty act seems like disproportionate punishment for a crime which I think would be worthy of no more than a couple months of a sentence.

Re:Good (1)

stephanruby (542433) | about a year ago | (#43205041)

Know I'll get modded down for going against Slashdot groupthink. But what is the argument suggesting? "It all happened on a computer, it shouldn't be prosecuted?" Stealing private information and releasing in publicly isn't just obviously illegal, it caused grief for 114,000 people.

He didn't release it publicly. He released it to a news site (which did the responsible thing).

It didn't cause grief to anyone, but AT&T.

Re:Good (0)

Anonymous Coward | about a year ago | (#43205093)

I don't think Weev is a great guy (after all, he ran straight to Gawker with the stuff instead of acting like a sensible "Security Researcher"), but I think a lot of the outrage comes from the fact that AT&T is not suffering at all from this. Your analogy isn't quite accurate because your sick dog was only guarding your house. To update it, consider if your friend asked you to store his collection of rare stamps at your house, and you said "Sure! We have a dog, so nobody's going to break in!" And then the dog got sick, the stamps got stolen, etc. etc. Of course the robber is a dick and should be prosecuted, but in this case you are also a dick. Moreover, restitution should go to the guy with the stamp collection, not you (the guy passing off a sick dog as a healthy dog).

There's also the whole 'user privacy' deal. If user privacy isn't a big deal, if we should be happy to let companies such as AT&T and Sony and Apple and Google store all our data for us, why should we care if Weev or Gawker gets our data? After all, we have nothing to hide.

Re:Good (1)

Pogie (107471) | about a year ago | (#43205113)

I'd mainly argue that the punishment is grossly inflated compared to the "crime". The individuals in question submitted properly formatted GET requests to a public website AT&T provided, collecting two pieces of information: The unique identifier for an iPad and the email address of the user who registered the iPad. They didn't get real names, phone numbers, addresses, social security numbers, etc. They didn't spam the users' inboxes. They didn't attempt to spoof the ICC-ID's to get unregistered iPads onto ATT's network. There's about a bazillion harmful things they did not do.

But they were sentenced to 41 months in prison? That seems disproportionate.

And from a technical specification, they didn't do anything unusual at all. I'm curious how much of their sentencing depends on the difference between sitting in front of a browser and typing in 100,000 URL's by hand to get the data v. writing some script to loop through and do it automatically.

Anyway, to your point: 'Stealing private information and releasing in [sic] publicly isn't just obviously illegal, it caused grief for 114,000 people". My responses would be:
a) email addresses are arguably not private, and to the extent that email addresses are private information, AT&T provided them on a public website.
b) I wasn't aware my iPad had an ICC-ID, but even if that's private information (and useless to anyone not in possession of my iPad, since it's solely used for validating my device when connecting to AT&T's 3G network): again, AT&T provided the information on a public website.
c) releasing the information publicly is certainly rude, but I'm not sure why it should be _obviously_ illegal.
d) what grief was caused to those 114,000 people?

The only part of the sentence that makes some sense to me is the fine. AT&T does have an argument the release of this information harms their corporate reputation (as it should. Shame on them for leaving this out where anyone could grab it), but I would think that harm would better be remedied in civil court, rather than a criminal proceeding.

Re:Good (2)

erroneus (253617) | about a year ago | (#43205153)

The crime wasn't breaking in (as this has been repeated over and over again), it was disclosure.

Part of the problem is that the prosecutors are simply ignorant as to what they are prosecuting. So any "evidence" presented was done without understanding of what they were asserting. That's quite disturbing on its own.

The "offense" isn't necessarily hacking, because that is not what happened (though it is 'believed' to have happened). What he did was collect the information and present it to the media to bring light to this otherwise serious breech -- a breech that was in active exploitation by others at that time. So, the crime was putting light on the problem.

There is a valuable lesson to be learned here. If you disclose, do it anonymously. If you don't, someone ignorant will try to prosecute. What's more, if you try to report it to the compromised party (such as AT&T in this case) they will still likely have you charged with some computer crime as has been demonstrated in the past. The only option left is fast and anonymous disclosure and to HOPE that black hats don't abuse the information before it is fixed. (We know this won't happen.)

So, don't tell AT&T their pants are down or they will blame you for taking their pants down. Instead, whisper it to other people and let the whole world laugh at AT&T before they can respond. We know that keeping the secret "secret" will not help the public servicing entity because whether someone speaks out or not, the wrong people WILL know of the problem. The right people (the public servicing entity) need to be notified and made aware of the problem(s). But there is significant risk to the messenger. So that message must be disclosed anonymously and publically. What other choice is there?

AT&T... you have just painted yourself and all other large litigious companies into a very awkward and even dangerous position.

Re:Good (0)

Anonymous Coward | about a year ago | (#43205241)

AT&T made the addresses available to the entire world and gets paid "restitution", while the whistleblower who made them available to journalists gets jailtime? How fucked up does you moral compass have to be to call that good?

Re:Good (5, Insightful)

TemperedAlchemist (2045966) | about a year ago | (#43205329)

Give away emails to demonstrate a security flaw? 41 months in prison.

Rape, molest, and humiliate a sixteen year old girl? 12 months in prison.

Justice.

---

I love you, America.

Don't understand computers? (1, Insightful)

gnasher719 (869701) | about a year ago | (#43204843)

I suppose the prosecutors figured out that Auernheimer managed to lay his hands on over 100,000 email addresses that iPad owners had used to register their devices. So not random email addresses, but email addresses that were in actual use, and with some rather significant personal information attached.

So what exactly do they need to understand about computers beyond that?

Re:Don't understand computers? (4, Insightful)

Jawnn (445279) | about a year ago | (#43204985)

That the defendant did not "break in". He did not circumvent any system or other contrivance designed to secure sensitive information. Those systems and contrivances simply did not exist. The worst that can be said of what he did was that he was irresponsible in sending the clearly sensitive information to someone else. The right thing to do, of course, would have been to contact AT&T. Had he done that, there wouldn't even be a case for restitution, unless maybe it was to compensate the defendant for doing the work that AT&T failed to do.

Re:Don't understand computers? (5, Insightful)

Looker_Device (2857489) | about a year ago | (#43205027)

The right thing to do, of course, would have been to contact AT&T. Had he done that, AT&T would have threatened him to keep quiet and then never fixed the flaw

FTFY

Re:Don't understand computers? (1)

gnasher719 (869701) | about a year ago | (#43205055)

I never said he did "break in". But clearly he copied 114,000 email addresses that he shouldn't have copied. As a "journalist" (that's what the article says; I doubt it) did _not_ say: "I felt like I was watching a trial with a defendant who admitted he doesn't understand the law". Or common decent behaviour. Or the fact that just because you figure out how to do something, doing it might still not be a good idea.

Re:Don't understand computers? (0)

Anonymous Coward | about a year ago | (#43205053)

What the fuck is wrong with you? So if I take a phone book and list 110,000 numbers should I be prosecuted? It was a PUBLIC DATABASE.

Well yes but, (0)

cfulton (543949) | about a year ago | (#43204855)

If you find my key under a rock in my backyard, it is still theft if you break into my house with it and steal things.

Re:Well yes but, (2)

i kan reed (749298) | about a year ago | (#43204935)

Strictly hypothetically, what rock is this key under? And what's your street address? Just hypothetically, so we can look up the laws in your jurisdiction, and understand which rock not to touch.

Re:Well yes but, (1)

deesine (722173) | about a year ago | (#43205159)

Those rocks are for you to look at, not to step on my property and start turning over. Of course, once the cost becomes negligible for a robot to do the rock turning for you, then I'm sure we'll have a rash of home break ins committed by key wielding robots.

Re:Well yes but, (1)

Seumas (6865) | about a year ago | (#43204975)

Also, what time are you hypothetically home?

Re:Well yes but, (0)

Anonymous Coward | about a year ago | (#43204979)

Not the same. It's more like having a party at your house and your guest walks into the kitchen.

Re:Well yes but, (0)

Anonymous Coward | about a year ago | (#43204983)

How is using a key breaking in?, the key goes into a lock and opens said lock thus the door no?.

Surely the fact is that you were stupid enough to leave it in an obvious place. To add weight to this, your insurance company wont pay out on grounds of stupidity ( and this being exactly that ).

Food for thought me thinks.

Re:Well yes but, (0)

Anonymous Coward | about a year ago | (#43204999)

Yes, but if the security company was just giving out the keycodes to everyone's home security systems, and someone found out they were doing it, then why is that person the only one in trouble?

Re:Well yes but, (2)

Wattos (2268108) | about a year ago | (#43205011)

If you find my key under a rock in my backyard, it is still theft if you break into my house with it and steal things.

The analogy is not really applicable. This is more like writing all your secrets into a notebook and putting it into a library (in a section accessible to everyone). Then you sue the person who found the notebook.

Leaving the data open to any web request is the true crime here. I do not know about the US, but in Europe that would have been a violation against the Data Protection Act.

Re:Well yes but, (0)

Anonymous Coward | about a year ago | (#43205309)

Agreed. The fact is, why would you publish this information to the world? Did he really need to poke the beast?
If he tried to notify AT&T and they didn't give a damn, he should have resorted to other authorities to have the issue resolved.

The way I see it, he basically breached everybodies privacy by publishing their email addresses. On the other hand, if nobody cares about that level of privacy, then he should go free since nobody was harmed.

Re:Well yes but, (0)

Anonymous Coward | about a year ago | (#43205367)

If you find my key under a rock in my backyard, it is still theft if you break into my house with it and steal things.

The analogy is not really applicable. This is more like writing all your secrets into a notebook and putting it into a library (in a section accessible to everyone). Then you sue the person who found the notebook.

Leaving the data open to any web request is the true crime here. I do not know about the US, but in Europe that would have been a violation against the Data Protection Act.

I agree that it would almost certainly have been a DPA violation in Europe, and possibly a criminal one. However I don't think that the library analogy is a good one. Books are placed in libraries by the library staff with the clear intent for them to be borrowed by the public. Obtaining this data may have been as easy as borrowing a book from the library, but he must have known that in the circumstances it was not intended.

Suppose you left a book on a coffee shop table while you went to the bathroom, and I took it and walked out. Can I really claim that I thought you were establishing some kind of one-book public access library? Of course not. While you might have been foolish to leave it completely unprotected, that doesn't excuse me taking it.

Re:Well yes but, (1)

plover (150551) | about a year ago | (#43205013)

No. If you owned an automobile dealership, and wrote down the names and addresses of every customer on a poster, and I asked you for a copy of the poster, and you gave it to me, and then had me prosecuted for displaying the poster, that's the analogy you should be considering here.

Re:Well yes but, (1)

BitZtream (692029) | about a year ago | (#43205383)

Except it was if you were asking for the poster as if you were someone who was supposed to have access to the poster. He was impersonating a person (or machine in this case). He didn't visit att.com and it spewed 100k email addresses at him. He did some traffic sniffing and reverse engineering.

He made an effort to obtain the data. That is what makes it criminal.

Re:Well yes but, (1)

larry bagina (561269) | about a year ago | (#43205031)

Bad analogy. You stick your dick in a glory hole so your wife can suck it, but it's actually a long-haul trucker on the other side.

Re:Well yes but, (0)

Anonymous Coward | about a year ago | (#43205097)

Except in this case, he didn't enter the house, or steal anything.

This is more like walking up to your door, realizing your door is wide open and unlocked.

Then you call the police, and they arrest you for it.

The prosecutor behind this case should be publicly named and driven out of office. The conduct is entirely inappropriate here.

 

Who stole things? (1)

Comboman (895500) | about a year ago | (#43205225)

If you find my key under a rock in my backyard, it is still theft if you break into my house with it and steal things.

No one is being charged with stealing things. They are being charged with (to extend your analogy) telling the newspaper what an idiot you are for hiding your key under a rock.

Re:Well yes but, (1)

Endo13 (1000782) | about a year ago | (#43205243)

That's not what happened at all. If you must have a key analogy, here's what happened.

You gave your key to a company for safekeeping. He walked up to the company and asked for your key. They gave it to him. He, in turn, gave it to a news company to point out how flawed the "security" was of the company you gave your key to.

Re:Well yes but, (1)

PantherX (23953) | about a year ago | (#43205247)

If we're going to do analogies, let's pick something that is closer to what actually happened.

If I request a copy of your bank statement that is in your locked home, and you go inside, get it and come back and give it to me, that's not theft.

If you set up an automation to go and get information or things for people outside of your home and the automation gives out the wrong information or things, that's still your responsibility.

Re:Well yes but, (0)

Anonymous Coward | about a year ago | (#43205271)

BULLSHIT. Unless you *actually steal something*.

1. For information, that is physically impossible. The word is only defined for matter/energy. (And everyone from the Content Mafia: Shut the fuck up. You gonna die a horrible, brutal, decade-long, excruciatingly painful death, *by your own hand*!)
2. He didn't harm anyone! He didn't give your PUBLICLY FUCKIN' ACCESSIBLE data to anyone evil. Mainly beause
3. THERE WAS NO KEY. It was public space, with a sign saying "walk right in here". Just based on a nice request that need no honoring at all, the fuckin' HTTP server SENT him the data, for FUCK'S SAKE!!!

He just told somebody about it, who you fuckin' ignorant moron will listen to, so you piece of shit finally fix that fuckin' security hole and stop endangering your clients, you MASSIVE! CAPITALIST! SHIT!

How fuckin' dense are you??

Couldn't have been a better person. (0)

Anonymous Coward | about a year ago | (#43204865)

It's completely crazy and immoral to even put someone in prison for what he did. But luckily the defendant himself is crazy and immoral so it sort of evens out?

Hard to feel sympathy (4, Insightful)

i kan reed (749298) | about a year ago | (#43204893)

The purported target, AT&T, is hardly the nicest organization, but the actually affected people were just regular people. This doesn't seem especially out of line with the USA's normal unhealthy sentencing. We want to punish, not correct, those convicted here.

As long as that attitude remains dominant, miscarriages of justice will occur within every branch of justice(except for the super-rich).

Re:Hard to feel sympathy (1)

Anonymous Coward | about a year ago | (#43205081)

the actually affected people were just regular people

not true, they were iDiots

Re:Hard to feel sympathy (1)

EGSonikku (519478) | about a year ago | (#43205193)

Yes, people who bough $product that differs from $YourPreferredProduct are "iDiots".

Never mind that this happened during the iPad 1 era, when there was essentially no other player in the tablet market.

Re:Hard to feel sympathy (0)

Anonymous Coward | about a year ago | (#43205283)

"We want to punish, not correct"

WTF? Who told you prison was meant to correct anyone? You, dude, need to get a refund on your public education dollars.

Prison is for punishment, as it should be.

Re:Hard to feel sympathy (1)

Anonymous Coward | about a year ago | (#43205397)

Last time I checked, the majority of prison systems including in the US refer to themselves as "correctional services". Government-sanctioned petty vengeance has no place in a civilised society. It is however in society's best interests to prevent criminals reoffending; preferably in an efficient manner.

#freeweev (0)

Anonymous Coward | about a year ago | (#43204897)

make a profile. sign it. share it. please. http://wh.gov/sR5l

Wow (0)

Anonymous Coward | about a year ago | (#43204929)

Wow that's a ridiculous sentence, You can hear more about this story on http://www.miscbb.org its a Hacking Forum.

Sentencing reveals country's values (5, Insightful)

bigonese (1606593) | about a year ago | (#43204953)

Two young men in steubenville rape a young women and get 1 - 2 years in jail. A man writes a script to get email address from a website and gets 3.5 years in jail. Something's not right.

Re:Sentencing reveals country's values (5, Insightful)

Seumas (6865) | about a year ago | (#43205009)

It's simple. Society is sick.

Their response to one is "Well, boys will be boys!".

Their response to the other is "Oh my god, if they can webscrape publicly accessible information, the next thing these vial social outcasts will be doing is hax0ring into NORAD and launching nuclear warheads and initiating WWIII and I can't have that because I haven't finished watching Real Housewives, yet!"

Re:Sentencing reveals country's values (1)

jittles (1613415) | about a year ago | (#43205181)

these vial social outcasts will be doing is hax0ring into NORAD and launching nuclear warheads and initiating WWIII and I can't have that because I haven't finished watching Real Housewives, yet!"

Would you like to play a game?

Oh and I think you meant vile.. A vial is something you use in your chemistry lab! ;)

Re:Sentencing reveals country's values (4, Insightful)

Derekloffin (741455) | about a year ago | (#43205067)

Come on now, the combine trauma of those 100,000 people having their emails... oh never mind, I just can't say it with a straight face.

Re:Sentencing reveals country's values (1)

Vitriol+Angst (458300) | about a year ago | (#43205343)

I'm not sure here if the damage was based on "AT&T's reputation" -- meaning, it hurts their income for people to know you don't need to hack them.

OR

Over 100,000 people now have their reputation's damaged for being associated by email to AT&T.

You know that only 300,000 of AT&T's closest advertisers, spammers and script kiddies have these email addresses.

Is the going rate 2 pennies an email to buy as an advertiser or am I being too pricey here?

Re:Sentencing reveals country's values (1)

Nimey (114278) | about a year ago | (#43205131)

The rapists are juveniles. Sentencing is different when you commit a crime before the age of majority, and rightly so.

Re:Sentencing reveals country's values (1)

SJHillman (1966756) | about a year ago | (#43205297)

I wish I understood that when I was a minor, I would have had so much more fun...

Re:Sentencing reveals country's values (4, Informative)

krlynch (158571) | about a year ago | (#43205177)

The Steubenville convictees are legally juveniles. Society has decided that we don't throw the book at them. Had they been adults, they would not be getting sent to a juvenile facility, and they would not be getting out in so short a time. It's hardly an apt comparison.

Re:Sentencing reveals country's values (1)

Anonymous Coward | about a year ago | (#43205197)

If the whistle-blower in this case was a juvenile, I suspect there would have been people arguing for him to be tried as an adult.

Re:Sentencing reveals country's values (0)

Anonymous Coward | about a year ago | (#43205201)

Well, to be truthful, the guy didn't really set himself up to be "remorseful" or anything like it.

After all if you give them a reason to treat you harshly, don't be surprised if they do [theverge.com] . Wanting the maximum sentence?

Perhaps that MIT charm school has a lot of merit on how to interact with people. Given the comments on that article were of the "screw etiquette" and "why should I dress up?!" or "society's rules do not apply", I guess it's not really a surprise when society decides you don't fit in to their norms (and they outnumber us). Give people a reason to not relate to you, and don't be surprised when they don't. Give people a reason to like you and they'll let you off with a lesser sentence.

Over the top sentence? For the crime actually committed, most likely. But when you're characterized as a ne'er-do-well or unrelatable to the public and your actions don't suggest you have any remorse, the courts don't generally look too highly on that behavior.

Re:Sentencing reveals country's values (3, Insightful)

dkleinsc (563838) | about a year ago | (#43205295)

It's all about who the victim and the perpetrator of the crime is: In the Steubenville case, the victim is a powerless teenage girl, and the perps are a couple of somewhat powerful (at least locally, where the high school football team is a privileged class) teenage boys. In this case, the victim is AT&T (the largest campaign donor in the US), and the perp is a relatively powerless computer geek.

This is just a subset of the more extreme differences: Rob $2000 from a bank, and if you're lucky you won't be shot by the police. Rob $2 billion from a bank, and the SEC or OCC will settle with you for $500 M (25% of your take) and no admission of wrongdoing.

And no, that's not the way it's supposed to work, but it's the way it's actually working.

No understanding of computers or the internet (1)

jonfr (888673) | about a year ago | (#43204987)

This people do not have any understanding of computers or the internet in general. I doubt it is going to change in the future. Since this type of people are generally not computer literature at all and never have been.

I doubt they know even what an IP address is or an hard drive.

Buglars, Rapists, and Bankers who ruined the econ (0)

Anonymous Coward | about a year ago | (#43205019)

Bankers who brought the nation and somewhat the world into a great recession do not serve any jail time. Too Big to Jail?

People lied about going to war in Iraq and many people died because of it. No one in the Bush administration has served jail time for lying.

Burglars and Rapists get out faster than those who do computer crimes.

I don't understand why someone who warned others about a security risk was jailed when nothing happens to the FBI for snooping on a military General's email for the wrong reason.

I guess when you are connected - sort of like the mob - but in this case the government and big business - only the little guy will do jail time.

they don't understand law, either (1)

swschrad (312009) | about a year ago | (#43205039)

the ATT servers were not secured. the data was figurately lying out on the street, in the old days there would be a black or brown binder holding a galloping shitload of greenbar paper, and if you flipped the binder open, it would say, "LIST OF iPHONE USERS DATA." that is thus insecure data, hence public. ATT's trash blowing across the street. the guy should not have been prosecuted, he should have been given a code for free wi-fi at McDonalds for two weeks.

take note... data wants to be free. if it isn't locked away, it will become so. just like houses and banks, if you lock your stuff up, it isn't free to all any more.

Risk Versus Reward (1)

tokencode (1952944) | about a year ago | (#43205045)

This is one of those cases that the defendant should have identified the risk versus reward for releasing this data. He obviously knew the data was not meant to be public otherwise he wouldn't have bothered to send them to prove a security flaw. Risk: Jail-time Reward: ? Name recognition? Better security at AT&T? My equation says no way in hell would I release that data. If you really care about security so much, inform the proper owner of the data, not a news agency.

Publicly-Accessible Data=Prison?? (1)

BlueStrat (756137) | about a year ago | (#43205059)

In 2010, querying a public AT&T database yielded over 114,000 email address for iPad owners who were subscribed to the carrier.

If the database was publicly-accessible, how is it a criminal act, as a member of said "public", to actually access it? That's like a newspaper that accidentally publishes data it considers private and prosecuting readers.

The criminal act was negligence by AT&T. This is simply a distraction and face-saving prosecution to wash AT&T clean of culpability.

Strat

Re:Publicly-Accessible Data=Prison?? (1)

gnasher719 (869701) | about a year ago | (#43205141)

If the database was publicly-accessible, how is it a criminal act, as a member of said "public", to actually access it? That's like a newspaper that accidentally publishes data it considers private and prosecuting readers.

It wasn't publicly accessible. The information of _one_ iPad owner was accessible to that _one_ iPad owner. He figured out how to make his computer pretend to be many different iPads.

There was some interesting discussion recently about anti-hacking laws were huge problems were caused by the fact that the law makes "exceeding authorized access" a crime, which can then be used to apply in all kinds of situations that actually don't have to do anything with hacking. This one is the opposite: The guy didn't have authorization to access the email addresses of any iPad user, except possibly his own if he owned an iPad. So no "exceeding authorized access" but no right to access at all.

How does this not qualify as... (1)

Roskolnikov (68772) | about a year ago | (#43205127)

whistle blowing?

if he would have called AT&T and told them he found this, they would have accused him of hacking, he leaks it to a journalist and gets jail? did the journalist turn him in?

Re:How does this not qualify as... (1)

Endo13 (1000782) | about a year ago | (#43205345)

He probably admitted to it himself, completely underestimating the sheer stupidity our justice system is capable of.

Just because I forgot to lock the door (1)

Dorianny (1847922) | about a year ago | (#43205133)

Forgetting to lock my door makes it easier for a thief to enter my house and steal but it doesn't excuse or even lessen the crime, that being said the sentence seems rather excessive for what is little more than a inconvenience to the people affected by the release of their email address.

Damn shame (0)

Anonymous Coward | about a year ago | (#43205161)

Weev helped me out a while ago with free hosting when I was hosting a controversial site and had some issues with other hosting providers. He may be a total troll, but he's also a good guy who doesn't deserve this at all. He believes in free speech and despite how the media is making this out to seem, he handled the data a lot more responsibly than ATT did. He could have published it. Instead he handed it to the press.

What I learned from this: Abuse them. Always! (0)

Anonymous Coward | about a year ago | (#43205171)

I learned from this, that I will be sending that data to most evil bastards on the planet. Stupidity must hurt. Karma must come back. And I'm the one whose job it is, to make sure that happens.

a monster off the streets. everyone is safer. (0)

Anonymous Coward | about a year ago | (#43205173)

</sarcasm>

typing more due to filter. typing more due to filter.

A question of disclosure to whom, when. (1)

Lashat (1041424) | about a year ago | (#43205185)

Many conflicting articles have been released concerning when the flaw was disclosed to whom. IANAL, but I *think* this may have been the crux of the prosecution's case. If the flaw was disclosed to others before AT&T or perhaps the people whose emails were discovered = crime. If not = no crime.

I am not advocating this position as correct. Just trying to present an opinion.

One of the better articles on the subject of disclosure, still leaves many murky grey area problems for any professional security researcher.
http://www.wired.com/opinion/2012/11/hacking-choice-and-disclosure/ [wired.com]

he hired a cheap lawyer (0)

Anonymous Coward | about a year ago | (#43205245)

any expensive lawyer worth his salt would have painted the case that AT&T was at fault, not the defendent, in a clear enough picture for the jury to understand. If OJ can get off, and Lohan can get off, it's just a matter of paying for the right representation.

Seriously? (0)

Anonymous Coward | about a year ago | (#43205279)

What about the security and network admins responsible for the box that was hosting this database? It was completely their fault for allowing this to be exposed to the public.

It's complete bullshit that they can reprimand someone who accesses publicly sensitive data but not reprimand those that put the data at risk.

When are the courts going to learn how this shit works?

reminds me of Harvard B-school hack (1)

peter303 (12292) | about a year ago | (#43205391)

Applicants could peek ahead at the status of their admissions by adding a few numbers to their URLs on the site. Harvard rejected all of the people who tried the hack. And told other ivy b-schools about them too who also rejected them.

... and if Google had done this... (4, Insightful)

tekrat (242117) | about a year ago | (#43205403)

They would only be fined 1 days worth of profits...
Corporations are people too? Bullshit. Corporations are treated better than people, under the law. I seriously suggest that every individual incorporate themselves and, when accused of any wrongdoing, claim it was via the corporation, and suggest that the law take it up with the board of directors.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...