Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Researchers Submit Brief For Andrew "Weev" Auernheimer

samzenpus posted 1 year,21 days | from the helping-a-hacker-out dept.

Security 161

USSJoin writes "Andrew Auernheimer (or Weev, as he's often better known) is serving a 41-month sentence under the Computer Fraud and Abuse Act. The case is currently on appeal to the Third Circuit Court of Appeals; his lawyer filed the appellate brief last week. Now, a group of 13 security researchers, led by Meredith Patterson, and including include Peiter "Mudge" Zatko, Space Rogue, Jericho, Shane MacDougall, and Dan Kaminsky, are making their own thoughts heard by the court. They are submitting a brief to the Third Circuit Court of Appeals that argues that not only is Weev's conviction bad law, but if upheld, it will destroy independent security research, and perhaps the rest of consumer safety research as well."

cancel ×

161 comments

frosty piss (-1)

Anonymous Coward | 1 year,21 days | (#44215243)

frosty piss frosty piss

What Weev did (5, Informative)

wonkey_monkey (2592601) | 1 year,21 days | (#44215293)

It may have been pertinent to briefly explain what he actually did in the summary - he was the guy who got hold of 114,000 AT&T customer email addresses. Beyond that I don't know much, except that there is some argument over whether what he did was any kind of "hack" - he may have just navigated some exposed folders. Either way, you still probably get less than 41 months for kicking a puppy to death.

Re:What Weev did (0)

Anonymous Coward | 1 year,21 days | (#44215387)

Thank you for the explanation of what he did but you're forgetting one important thing. Kicking a puppy to death doesn't affect profits of Corporate America so theres no reason why the penalty would be as severe.

Re:What Weev did (0)

Anonymous Coward | 1 year,21 days | (#44215451)

Weev has probably kicked a few puppies to death in his time in the acid-fueled mistaken impression that they were Jewish bankers.

Re:What Weev did (0)

Anonymous Coward | 1 year,21 days | (#44215489)

114,000 AT&T customer email addresses is nothing. Just imagine how many the NSA has. Should their punishment be in logarithmic, direct, or exponential proportion to Weev's?

Re:What Weev did (0)

Anonymous Coward | 1 year,21 days | (#44215659)

The law is not supposed to punish the government for doing things we've authorized them to do.

Re:What Weev did (1)

ebno-10db (1459097) | 1 year,21 days | (#44215907)

The law is not supposed to punish the government for doing things we've authorized them to do.

"We"? I know I didn't authorize them to do it. Even if I, or anyone else including the president had, it still doesn't repeal the 4th Amendment.

Re:What Weev did (2)

Ash-Fox (726320) | 1 year,21 days | (#44216341)

Note: I am not the original poster and I am not from or even live in the U.S.

it still doesn't repeal the 4th Amendment.

I don't view what the NSA is a violation of the 4th amendment (was it ever fully confirmed the gathering of data was warrantless, or was it entirely through FBI's warrants?) .

The method of duplicating data they used does not look anything close to a search and seizure to me. Nor do I see persons being deprived of houses, papers, and effects in this intelligence gathering.

I feel that trying to use the 4th amendment to stop this is somewhat weak, the amendment seems more constructed in a form to prevent people from being hassled/harassed and deprived of personal effects. Then there are words like "unreasonable" used, so even if this is considered to be infringing the 'search and seizure' contexts, I am uncertain that this can be considered unreasonable considering the context of what this amendment appears to have been written in.

Now, of course, there are going to be rulings that disagree and agree with me, but my point here is that I feel the 4th amendment argument is actually quite weak in this scenario and feels more like you're trying to use something unrelated to get your way. I should also point out that there have been since a bunch of law changes that give approval to such actions - I don't know if that would make it considered 'reasonable' since it's been approved at various levels of government institutions which are ran by the people.

It would be great to see better arguments than "it still doesn't repeal the 4th Amendment." with no decent explanation as to how the 4th amendment is really involved.

Re:What Weev did (0)

fazey (2806709) | 1 year,21 days | (#44216537)

They've effectively used the patriot act to circumvent the 4th amendment. The 4th amendment has nothing to do with putting you out of home, or taking your copies of the data... it has to do with guarding against unreasonable search and seizure. In this case copying all of my emails is unreasonable search.
Why should they be able to tell what kind of porn I subscribe to?
Why should they get to see a copy of my significant other naked?
The answer is, they shouldn't. But they were given the ability to circumvent the constitution in the name of "national security". Terrorists are just the new Commies. That's the problem.

Re:What Weev did (1)

mi (197448) | 1 year,21 days | (#44216923)

the 4th amendment argument is actually quite weak in this scenario and feels more like you're trying to use something unrelated to get your way

Well, if the 1st Amendment was used to establish a right to sell pornography, then the 4th may as well be used against the government browsing through our electronic records in addition to any tangible personal effects... (And the 2nd, BTW, should allow us to keep and bear any arms, which we can, ahem, "keep and bear" — including the "assault" variety.)

Re:What Weev did (1)

Curunir_wolf (588405) | 1 year,21 days | (#44215913)

The law is not supposed to punish the government for doing things we've authorized them to do.

I think the jury is still out over whether "we've" authorized them to do what they did or not. The secret court made a secret decision that expanded the original authorization to one that a lot more expansive. I think there is a good argument to be made that they went beyond their authorization.

Be that as it may, the insiders are never held accountable like the rest of us are. Do you think James Clapper will get the same punishment as Martha Stewart?

Re:What Weev did (5, Informative)

Trepidity (597) | 1 year,21 days | (#44215627)

He was also convicted of conspiracy to distribute those addresses for criminal purposes based on the fact that he... sold them to Russian fraudsters? No: disclosed them to a journalist. I guess the criminal purpose was embarrassing AT&T?

Re:What Weev did (1)

MickyTheIdiot (1032226) | 1 year,21 days | (#44215855)

Look at this very thread.

It's fairly obvious where our values are placed in this country.

Re:What Weev did (2)

interkin3tic (1469267) | 1 year,21 days | (#44215891)

He also broke a gag order. A gag order which sounds like it was intended to bully and bankrupt him into submission.

Just throwing this out there for someone with more legal insight than me: how is it that gag orders are justified when there's not a fear that one of the witnesses is going to get shot by the mob?

Re:What Weev did (1)

steelfood (895457) | 1 year,21 days | (#44217363)

Which shouldn't be embarassed or threatened because they're extremely helpful to the NSA and FBI in their endeavours.

That's the problem with allowing corporations to cooperate with the government. It ultimately descends into corporatist facism where one is helping to cover the other's ass and vice versa. In the end, it's the people who lose.

Re:What Weev did (2)

reimero (194707) | 1 year,21 days | (#44216125)

The appeal brief (linked above) is worth a read. There's a lot of legal-ese in there (obviously), but it raises some very serious questions (not the least of which is double jeopardy.) There's also the legitimate question of what constitutes "unauthorized" access. From what I can tell, AT&T used those individualized headers as an authentication/authorization scheme, and relied on security through obscurity. Auernheimer changed the headers and gained access to accounts that were not his. There was no other authentication "challenge", no effort made on AT&T's part to verify the authenticity of the header, and no encryption.

Auernheimer is certainly a shmuck, but in this specific instance, I don't think he broke the law, and if he did, it was at worst a misdemeanor. I really think this is AT&T pushing for aggressive prosecution to cover their own tails: that security scheme was so weak that they'd likely have been subject to a lawsuit of their own had they not gone after Auernheimer aggressively.

Re:What Weev did (2)

Jane Q. Public (1010737) | 1 year,21 days | (#44216403)

"There's also the legitimate question of what constitutes "unauthorized" access."

Their first point is the one I feel is most pertinent and carries the most weight: the fact that calling a breach of Terms of Service a "crime" would effectively allow private corporations to write their own laws... something that is very clearly outside not just our Constitution, but our entire historic system of justice, from long before the Constitution was even conceived .

Re:What Weev did (2)

davydagger (2566757) | 1 year,21 days | (#44217421)

in other news, a bunch of teenagers who raped another teenager, bragged about it in a video, and put it on the internet get two years(24 months) in juevinile hall)

http://abcnews.go.com/US/steubenville-football-players-guilty-ohio-rape-trial/story?id=18748493

good job America, way to let the world know you have your priorities right.

Well (1)

Anonymous Coward | 1 year,21 days | (#44215295)

At the light of recent events, we are sure the STASI also owns some favors to AT&T....

LOL (0, Informative)

Anonymous Coward | 1 year,21 days | (#44215311)

So independent researchers talk about their work in ways such as:

Auernheimer: this could be like, a future massive phishing operation serious like this is valuable data we have a list a potential complete list of AT&T iphone subscriber emails

Auernheimer: well i will say this it would be against the law for ME to short the att stock but if you want to do it go nuts

Auernheimer: lets not like do anything else we fucking win and i get to like spin us as a legitimate security organization

Yeah, he surely was working to only help those customers...

Re:LOL (4, Interesting)

sideslash (1865434) | 1 year,21 days | (#44215553)

If you read those comments in a hostile light, then sure, then it looks like he's up to no good. But just from those snippets, it's ambiguous. As far as the phishing thing, how the heck do you think a security researcher would describe the importance of a vulnerability discovery? It appears that Weev had no intent to use the data maliciously, he just exposed AT&T's wrongdoing to the world. Do you have any evidence otherwise?

Re:LOL (4, Interesting)

thoriumbr (1152281) | 1 year,21 days | (#44215557)

No, Weev is not an independent security researcher, he is a troll. BUT he used the same tools the researchers uses. It's like passing a law outlawing the use of lockpicks. Surely all thieves would be affected, but it would affect locksmiths too.
If Weev loses the appeal, the traffic on full-disclosure mailing list will drop a lot. If I discover a bug on Paypal website that allows anyone to access a third party's account, and I inform Paypal, I would be guilty.
Even Weev being a troll and thinking on making profits over the AT&T mistake, the problem is shifting the blame for exposing the innocent victims from AT&T to Weev. The way this is going, looks like AT&T did everything right, responsible, blameless, and a evil hacker with super-human powers hacked their NSA-grade secured servers and stole the data, when what really happened was that AT&T didn't even bothered to protect the data in any way.

Stretching the laws for corporations (4, Insightful)

sl4shd0rk (755837) | 1 year,21 days | (#44215329)

What Weev did was spoof his Browser headers and then send a bogus ID to AT&T's webserver. The dumbasses who wrote and reviewed the code on AT&T's backend were negligent in that they blindly trusted the user input and spit out private information as a result. If that's what the Spec said was supposed to happen, then start climbing the ladder and find out who authorized customer info to be so accessible.

In my mind, the people in charge of code review at AT&T need to be in court answering questions as to what other code they have facing the internet which could be circumvented in a similar way giving away customer info to anyone who can use a common browser plugin and simply change a form variable. This is a clear case of glaring corporate negligence being covered with the Computer Fraud and Abuse Act.

I'm not even sure what the CFAA is supposed to protect, but if it's primary use is to keep people from asking questions about how their private info is stored, and who has access to it, then get rid of it. The only people winning from legislation like that are the ones who would otherwise be sued for negligence.

Re:Stretching the laws for corporations (3, Informative)

Anonymous Coward | 1 year,21 days | (#44215411)

The only people winning from legislation like that are the ones who would otherwise be sued for negligence.

And who do you think wrote the legislation?

Whenever laws like this are written, it's the corporate interests via their lobbyists who write the laws.

Then said Congressman on that particular corporation's buddy list, then submits the law as his own work.

Being a Congressman is a pretty cushy deal - 6 figure income, other people do your work, you get your ass kissed, travel around for free and get entertained, no worries about what the little people go through and it just goes on ....

If it weren't for the fact that I'm a really shitting liar (and couldn't keep a straight face with a platform needed to be elected), I'd jump on the job in a heartbeat!

Re:Stretching the laws for corporations (2, Insightful)

Infiniti2000 (1720222) | 1 year,21 days | (#44215431)

Whoa, easy on the vitriol there, bub. Don't let bad design cloud your judgment of the actual case. It matters not how badly the AT&T folks implemented security (or not) on their system. The fact is Weev "stole" it (copied without permission) and then stupidly publicized it. What's more, he "shared it with various interested parties [dailytech.com] ."

As far as I'm concerned, anyone calling their group Goatse Security needs to be punished anyway. I'm not interested in trying to explain to my 6yo what the fuck that means.

Re:Stretching the laws for corporations (2)

hublan (197388) | 1 year,21 days | (#44215579)

Whoa, easy on the vitriol there, bub. Don't let bad design cloud your judgment of the actual case. It matters not how badly the AT&T folks implemented security (or not) on their system. The fact is Weev "stole" it (copied without permission) and then stupidly publicized it. What's more, he "shared it with various interested parties [dailytech.com] ."

If AT&T had left printouts of highly personal data in a dumpster and someone had found it right there, then I don't think you would've had a problem fingering the culprit. AT&T, right? Dumpster diving would certainly not get someone 41 months in the slammer (e.g California v Greenwood).

In other words, it was right there in the open. Hence, the blame lies squarely with AT&T for not properly securing their customers' private information.

As far as I'm concerned, anyone calling their group Goatse Security needs to be punished anyway. I'm not interested in trying to explain to my 6yo what the fuck that means.

Your obvious lack of parenting skills is not his responsibility.

Re:Stretching the laws for corporations (1)

tnk1 (899206) | 1 year,21 days | (#44216079)

Spoofing browser headers to overcome security restrictions, even laughably bad security restrictions, is not the same as dumpster diving. For one thing, it's already been ruled that having stuff in the trash indicates the intent to make that trash freely available to be removed, and as such, anyone can remove all or any part of such and even have it used as evidence against the original owner.

So, the comparison is not appropriate because the intent and the law are strikingly different, even if company's incompetence is similar between those instances.

That said, it is good to know just how bad online security really is. I find myself torn between the full-disclosure types who release this stuff to make sure it gets attention, and the effects that such disclosures could have if the company does not act in time to deal with them.

Full disclosure's goal is to secure the attention and cooperation of the insecure party, or failing that, to allow everyone else to know that they need to take action. The problem is, the end user either does not come to hear of these vulnerabilities, or failing that, they can't easily alter their own level of vulnerability. Additionally, even if the company is at fault for the issues, they may have dug themselves into a hole they can't quickly extract themselves from.

There is the school of thought that if the vulnerabilities have been found by the security researchers, then they have already been found, or will soon be found by black hats. For vulnerabilities that are trivial to discover and exploit, this is probably the case. I can't help wondering, however, if the black hats get most of their best material by simply watching the full-disclosure releases more closely than anyone else, and letting the white or grey hats do the hard work for them.

Re:Stretching the laws for corporations (3, Insightful)

DarkOx (621550) | 1 year,21 days | (#44215623)

I'd say ATT published it when they made it available online via webserver with no effective authentication around it.

Re:Stretching the laws for corporations (1)

omnichad (1198475) | 1 year,21 days | (#44215699)

Exactly. He could have used first initials and last names and scrubbed the email address into an SHA-1 hash - enough to prove that he retrieved the list, but not enough to actually stupidly share around customer details.

LOL. Okay, and.....? (4, Insightful)

SomePoorSchmuck (183775) | 1 year,21 days | (#44215353)

"...not only is Weev's conviction bad law, if upheld, it will destroy independent security research, and perhaps the rest of consumer safety research as well."

Yeah, I'm pretty sure that's the point. What in the world makes them think the government and the mega corps that they've merged with wouldn't want to "destroy independent security research" and "consumer safety research"? You think those federal-corporate cockroaches want you shining a light on their clandestine behind-the-fridge data gorging?

pertinent (1)

Say Full Hernandez (2976481) | 1 year,21 days | (#44215361)

may have been pertinent to briefly explain what he actually did in the summary

Similar to the Swartz case in one respect (0)

Anonymous Coward | 1 year,21 days | (#44215371)

Auernheimer didn't just violate the law, he intentionally did it on such a scale as to bring attention to himself. He was saying to the authorities as well as those on his side, look, you can't ignore what I just did. So they didn't.

What this really is (2)

Zontar_Thing_From_Ve (949321) | 1 year,21 days | (#44215425)

In reality this is a just a case of the following:
Researcher finds that Joe Blow has gone out of town and left the door to his house unlocked and open. Researcher publishes this information in a blog along with the address to the house. House gets robbed. Police hold Researcher responsible. Researcher insists it's not his fault that the house got robbed.

Yes it really is that simple.

Re:What this really is (0)

Anonymous Coward | 1 year,21 days | (#44215469)

In reality this is a just a case of the following:

Researcher finds that Joe Blow has gone out of town and left the door to his house unlocked and open. Researcher publishes this information in a blog along with the address to the house. House gets robbed. Police hold Researcher responsible. Researcher insists it's not his fault that the house got robbed.

Yes it really is that simple.

Actually a better analogy would include "Researcher steals everything from house as a 'proof of concept' that unlocked houses can be robbed". There was no need to download over 100,000 users' data and send copies of it to the media to prove that it could be done.

Re:What this really is (4, Insightful)

Culture20 (968837) | 1 year,21 days | (#44215539)

Did he delete the data on AT&T servers? Refine the analogy so the researcher is using a digital camera.

Re:What this really is (1)

JaredOfEuropa (526365) | 1 year,21 days | (#44215637)

Event better: "Researcher copies and publishes every document in the house as proof that the door was unlocked". Nothing was removed. I'd say that downloading the data and sharing it in some way with the press was necessary to demonstrate the weakness of AT&T's system, with the caveat that the press should use the data only to verify the claims, not publish them to the general public. His subsequent handling of the affair does merit some punishment though.

What was he actually being punished for; the hack, or the publication of private data?

Re:What this really is (1)

tnk1 (899206) | 1 year,21 days | (#44216169)

The home invasion scenario only goes so far. In a trespass situation, your presence in the house is enough to get you convicted, but you may well be able to get away with copies of documents and not face charges. I would believe, however, that such an action would aggravate your trespass, or at best, could be used against you in court as evidence that you were, in fact, in the house.

However, in the case of *consumer data*, there are specific laws about that data while they happen to be in computer systems. Chances are that data you could duplicate without legal ramifications from a home, you could still not duplicate from a computer system. Indeed, you might well come under the same headings as the company that is supposed to have protected your data to begin with.

Theoretically, he should be busted for the act of obtaining access to a computer system, although realistically, no one will bother to charge him if he simply gained access and did nothing. These are at least "semi-public access" systems and he needs to have demonstrated some intent to trespass, and with a computer, simply having your access attempt logged, with no follow up action, is unlikely to be very persuasive in front of a jury. If he admitted to it freely, they might get a conviction, but some web vulnerabilities are so easy to exploit that some people exploit them and don't even realize what they've done.

Re:What this really is (1)

abiggerhammer (753022) | 1 year,21 days | (#44215555)

By this logic, the developers of pleaserobme.com, which (before they decided they'd made their point and went to an informational site) mashed up Foursquare and Twitter data to determine when people had themselves voluntarily disclosed that they were out of their homes, should also be in prison. In other words, your analogy, along with AC's in reply to you, commit the logical fallacy of proving too much [wikipedia.org] .

Re:What this really is (1)

sideslash (1865434) | 1 year,21 days | (#44215583)

"Stealing" is a poor choice of words to refer to copying information. When you steal from a house, then the owners of the house don't have those possessions anymore. So no, it really is not as simple as your analogy.

Re:What this really is (0)

Anonymous Coward | 1 year,21 days | (#44215697)

What would be a better word then? He copied information that was not his to copy, accessed by a means not known to the common person.

The laws, as written, are ill-suited to deal with situations of this kind, but they're the only ones we've got at the moment.

Is 41 months too harsh? Probably. And it's a straight up punishment, not a deterrent to other people doing "independent security research".

Re:What this really is (1)

sideslash (1865434) | 1 year,21 days | (#44215757)

Why don't you just say he copied the information, my vocab-challenged AC?

Re:What this really is (1)

jedidiah (1196) | 1 year,21 days | (#44216303)

> What would be a better word then? He copied information that was not his to copy, accessed by a means not known to the common person.

What he did was actually much simpler than picking a lock.

Attempting to use the "average idiot" standard isn't terribly compelling because that's a moving target. Your claim about the difficulty of this task likely does not hold true across generations.

This "l33t hack" probably a non-Herculean task for many young people just as it seems pretty trivial to any computing professional or hobbyist.

Re:What this really is (1)

Patman64 (1622643) | 1 year,21 days | (#44216857)

Yeah, it's more like an office building and every single door inside are unlocked and there's no security to be found, someone tells the world, and people go in and photograph all the documents. And then the building manager gets mad at the guy who told everyone.

Re:What this really is (2)

mi (197448) | 1 year,21 days | (#44217029)

Well, if NSA going through your electronic mails — without even touching anything tangible in your house — is a violation of the 4th Amendment, then the distinction you are trying to make regarding copying electronic data is without (much) difference...

Re:What this really is (2)

Trepidity (597) | 1 year,21 days | (#44215665)

No, it isn't really related to that at all. Public-facing web servers, unlike houses, are not by default considered private. The public is expected to and routinely does enter. They are private property, but private property regularly offered to public use. If you require a physical space analogy, sort of like a plaza owned by a corporation, in front of its HQ, which has no fences around it and is regularly accessed by the public.

Re:What this really is (0)

Anonymous Coward | 1 year,21 days | (#44217093)

Public-facing web servers, unlike houses, are not by default considered private.

He had to forge his ID to get access. Sure it shouldn't have been that easy, but he didn't stop there. He forged millions of IDs to download information on 114K people. That's not research. When would you stop if you were researching? 10? 20? 50? Certainly if you kept going to 114K you were doing something else. Bad faith was involved, seriously bad faith.

Re:What this really is (1)

interkin3tic (1469267) | 1 year,21 days | (#44215901)

I don't think in your example that the researcher should be sent to jail. Maybe the homeowners could sue him in a civil suit, but the federal government shouldn't be sending him away for noting that someone left the door unlocked and open.

Re:What this really is (0)

Anonymous Coward | 1 year,21 days | (#44216085)

Researcher finds that Joe Blow has gone out of town and left the door to his house unlocked and open. Researcher publishes this information in a blog along with the address to the house. House gets robbed. Police hold Researcher responsible. Researcher insists it's not his fault that the house got robbed.

I do not know the details of what he "the Researcher" did, but it was definitely the case that Joe Blow/AT&T kept other people's stuff in his house. Having signed a contract to keep that stuff safe. So, even assuming your analogy holds, why is Mr Joe Blow not being punished in addition to whatever happens to the Researcher?

Re:What this really is (0)

Anonymous Coward | 1 year,21 days | (#44216471)

That's an absolutely terrible analogy. A company is not like a home and the security expectations of a company like AT&T are not like those in a home. AT&T is more like a bank than a home - a bank that stores important things that cannot be replaced. The situation is more like discovering that all the walls in your bank are holograms, including the walls to the vault. So anyone can just walk right through and take everyone's prized possessions stored in the vault. If you tell people that this bank has terrible security for this reason, you are at the same time letting bad people know that robbing the bank would be quite easy. In this situation I'd blame the bank for putting up holograms as a security measure. I would not blame the person who let the customers know that their bank has terrible security. So no, it really is not as simple as your analogy.

Re:What this really is (0)

Anonymous Coward | 1 year,21 days | (#44217037)

Door-to-house analogies don't work well, for data that is on public-facing servers w/out authentication.

If we're going to make up analogies, then why not this: the owner of a house consciously and deliberately moved all the house's contents onto the sidewalk. The analogy of the id-in-the-header is that the person who decided to move things to the sidewalk, was under the mistaken impression that the sidewalk was poorly lit and no one would be able to see the items sitting there.

It sucks that someone came by helped himself to everything on the sidewalk. People who do that are assholes, and we ought to look for ways to hurt them. But deciding to hurt them by fraudulently charging them with B&E does not serve our interests, because it just undermines the seriousness of B&E convictions, and we want B&E to remain a real crime. Also, B&E sentencing is likely to be far heavier than the type of harm that we'd normally choose to inflict upon people abuse sidewalks, so not only does it work against our selfish interests, but it works against justice too.

Re:What this really is (1)

jkflying (2190798) | 1 year,21 days | (#44217053)

I think a good analogy would be a post office making all its PO boxes open when you knock on them. He opened his box and noticed that they were horribly designed, so then he knocked on all of them and took picture of the contents, which he sent to a local journalist as proof of the poor design that he had discovered.

Sure, what he did was overboard. But having such a poor security mechanism on their mail boxes is most certainly the fault of the post office. He should be blamed for the publicising (unless it can be shown that he first went to the post office and gave them reasonable warning), and the post office blamed for the poor design of the mail boxes.

I have it on good authority (0)

Anonymous Coward | 1 year,21 days | (#44215437)

that none know nor care about "Weev"; weev got our own lives to live.

AlphaFalfa

Authoritarian governments (2, Informative)

Anonymous Coward | 1 year,21 days | (#44215463)

...will be the first pwned in a cyberwar because fear will have kept their system from ever being tested.

Sorry (4, Insightful)

damicatz (711271) | 1 year,21 days | (#44215467)

I'm finding trouble having sympathy for this guy.

He manipulated URLs to access areas that were not publicly visible. The information that he gleaned by manipulating these URLs was information that any reasonable person would deduce as information AT&T did not intent to make public. Rather than informing AT&T about the vulnerability, he went to Gawker and leaked the information that he gained, victimizing all of those people in the process. Just because someone leaves a door unlocked or open does not give you the right to go in and steal stuff and this is no different. Mens rea is *everything* here; if he had just gone to AT&T or acted responsibly in the disclosure, rather than trolling, he would most likely have never been charged.

As far as the prison sentence goes, he brought that on himself as well. It is *beyond* stupid to swear at a federal judge and call her a "mean bitch" when she is the one that is sentencing you. It is *beyond* stupid to go on a public forum and post that you intent to commit the same crimes again once you get out of prison. Do not complain when you get the book thrown at you after you try to turn the courtroom and the trial into a three-ring circus. Trolling a federal judge is never a good idea.

There is also the matter of his past history. I have not forgotten about what he did to Kathy Sierra or the other women that he made rape threats against. Or the "GNAA". His entire life has been dedicated to griefing people and generally being an asshole and yeah, the judge is going to look at that.

Re:Sorry (0)

Anonymous Coward | 1 year,21 days | (#44215577)

Was he the one who anonymously harassed Kathy Sierra (founder of javaranch.com)? I remember she said told a reporter she was frightened. This guy should be in prison for that.

Re:Sorry (2)

damicatz (711271) | 1 year,21 days | (#44215763)

Re:Sorry (1, Informative)

Charliemopps (1157495) | 1 year,21 days | (#44216291)

Ok, that link should be at the top of this discussion. After reading that I've no interest in seeing him get out of jail.

Re:Sorry (3, Insightful)

CanHasDIY (1672858) | 1 year,21 days | (#44215589)

As far as the prison sentence goes, he brought that on himself as well. It is *beyond* stupid to swear at a federal judge and call her a "mean bitch" when she is the one that is sentencing you. It is *beyond* stupid to go on a public forum and post that you intent to commit the same crimes again once you get out of prison. Do not complain when you get the book thrown at you after you try to turn the courtroom and the trial into a three-ring circus. Trolling a federal judge is never a good idea.

Yea, it's not like the people who came up with the idea for this country made it the law that every citizen has a right to bitch to and about government agents, right?

Oh, wait... [wikipedia.org]

You know, it's a sad day in America when the exercise of our civil liberties is colloquially considered to be a "stupid" action...

Re:Sorry (2)

damicatz (711271) | 1 year,21 days | (#44215619)

You have the right to free speech. That doesn't mean you have immunity from the consequences of your speech. If you go around telling everyone, during sentencing, that you are going to go and commit the same crime again (regardless of whether you agree it should be a crime or not), the judge is absolutely going to take that into account during sentencing because it indicates a high probability that the person will do the same thing again.

Re:Sorry (1)

CanHasDIY (1672858) | 1 year,21 days | (#44215773)

You have the right to free speech. That doesn't mean you have immunity from the consequences of your speech.

When it comes to speech about the government, you're supposed to have immunity.

That's kinda the whole fucking point; they aren't really civil liberties if you can be punished by the government by exercising them.

Re:Sorry (2)

damicatz (711271) | 1 year,21 days | (#44215859)

The problem is, that simply isn't how it works and it has never worked that way.

For example, there is something called the reasonable time and place restriction. If you try to hold a protest in front of the White House at 2am in the morning, you absolutely will be forced away by the police and them doing such is perfectly constitutional. The same goes for a courtroom; you cannot act out in court. If you disagree with a judge, the appropriate process is to appeal that decision. And, furthermore, things you say can be used against you in court (Look up Miranda Warning).

Re:Sorry (1)

CanHasDIY (1672858) | 1 year,21 days | (#44216165)

For example, there is something called the reasonable time and place restriction.

[citation needed], as from what I see:

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

No such distinction is made; or perhaps 'shall make no law' and 'abridging' has a different meaning in the parallel universe you inhabit?

Don't even bother with any of that 'legal precedent' nonsense, either, as any 9th grader who stayed awake in Civics can tell you that the Constitution cannot be superseded by anything short of a Constitutional amendment, which case law does not qualify as (perhaps that's what's wrong with our legislators - too busy having coke & whore parties to actually pay attention in their secondary school governance classes).

The same goes for a courtroom; you cannot act out in court.

... and yet, stripping naked in a public place is considered "protected speech"... [rt.com]

Seems pretty convenient, that 'free speech' only seems to apply when a citizen is not in sight or earshot of a government agent, doesn't it?

Here's an idea: maybe you should go back and read over some of the other writings of the Constitution's signators, and develop for yourself a concept of why we have civil liberties to begin with. I'll give you a hint: the concept and assignment of rights has absolutely nothing to do with how citizens interact with one another.

Re:Sorry (1)

damicatz (711271) | 1 year,21 days | (#44216305)

Re:Sorry (1)

CanHasDIY (1672858) | 1 year,21 days | (#44216839)

While technically correct (in the bureaucratic-red-tape-nightmare sense), nothing in the link you posted indicates that is is legal or right to give a citizen a harsher sentence for expressing their right to free speech, TPM restrictions notwithstanding. Any judge giving the defendant a longer sentence solely because said defendent pissed her off (with harmless words, mind you) is an affront to the idea of justice, no matter how you try to spin it.

Also, I noticed you've decided to not respond to the rest of my comment; is this an example of agreement-by-lack-of-valid-argument, or are you still looking for sources to support an anti-liberty stance?

Re:Sorry (0)

Anonymous Coward | 1 year,21 days | (#44215795)

While I agree that the defendant's behaviour was stupid, that bit is better covered by having a large part of the sentence on probation, with a sufficiently long probation period. Sentencing should not punish the defendant for things he might do in the future (even if he said so).

Re:Sorry (1)

Nemyst (1383049) | 1 year,21 days | (#44215683)

Wait, you do realize your free speech right only means you have the right to say it, right? It doesn't shield you from the consequences of saying it. The guy was indeed allowed to say it, and wasn't necessarily punished for it, but in any normal society being an asshole isn't going to positively influence the people around you. You can still do it, but don't whine about the consequences.

Re:Sorry (1)

adri (173121) | 1 year,21 days | (#44215731)

Actually, re-read what the right of free speech in the united states means. Then please re-evaluate your statement.

Re:Sorry (1)

CanHasDIY (1672858) | 1 year,21 days | (#44215809)

Actually, re-read what the right of free speech in the united states means. Then please re-evaluate your statement.

Yea, this.

Contrary to modern ideology, freedom of speech has absolutely nothing to do with the right to blast everyone around you with ads and crappy music, but rather references our natural right to bitch about the government without having to fear repercussions.... like, say, being given an extended prison sentence because you mouthed off to a government agent.

Weev should sue that mean bitch for civil rights violations, maybe even get her Constitutionally-ignorant ass barred from the bench.

Re:Sorry (1)

Glarimore (1795666) | 1 year,21 days | (#44216247)

You do realize that the whole point of "Free Speech" is that is DOES shield you from consequences of your speech that would come from the GOVERNMENT. You know, like extra jail time?!

Re:Sorry (1)

Anonymous Coward | 1 year,21 days | (#44215723)

Just because you have the right to do something doesn't mean it's the right thing to do, let alone a smart thing to do.

Re:Sorry (0)

Anonymous Coward | 1 year,21 days | (#44215735)

A human element comes into play with law enforcement, as in many other areas of our lives. If you drive by a cop, roll down your window, and say, "GOOOD AFTERNOON Pole-eece ossifer!" there's a high likelihood that you'll be pulled over and busted for a minor traffic or safety violation.

Re:Sorry (1)

CanHasDIY (1672858) | 1 year,21 days | (#44215791)

A human element comes into play with law enforcement, as in many other areas of our lives. If you drive by a cop, roll down your window, and say, "GOOOD AFTERNOON Pole-eece ossifer!" there's a high likelihood that you'll be pulled over and busted for a minor traffic or safety violation.

Which is a gross violation of your civil liberties, an act that you and every bystander in earshot should actively protest to that pig's face.

We won't have any rights before long, if pussified bitches (like some of the respondents here) won't grow the balls necessary to defend them.

Re:Sorry (1)

Trepidity (597) | 1 year,21 days | (#44215675)

I agree trolling a federal judge is not a good idea, but that doesn't really excuse the judge inventing a sentence outside the federal sentencing guidelines based on a flimsy justification. Damages still have to be computed in a legitimate manner, and the judge is still restricted by the sentencing guidelines, even if they hate the defendant.

Re:Sorry (1)

ameen.ross (2498000) | 1 year,21 days | (#44216359)

But, but, she was really angry!

Re:Sorry (4, Interesting)

thoriumbr (1152281) | 1 year,21 days | (#44215681)

Let's pretend you have a million bucks on some bank (do you have, don't you?). The bank says it will protect your money with their lives, and everything is secure. Someday you hear that one researcher (or troll, or terrorist) went to the parking next to the bank, started a sniffer, and discovered that your bank uses unencrypted WIFI networks, so he added a private IP address to its network card and could access all bank servers and read data from any account.
Who would you blame? The bank or the guy?

I still think that Weev is not a saint, but AT&T is to be blamed here. AT&T had to get a hefty fine for gross negligence, putting hundreds of thousands of customers in danger. Weev must be fined too, but serving 41 months of jail time is too much, IMHO.

Re:Sorry (2)

damicatz (711271) | 1 year,21 days | (#44215737)

Both. What AT&T did was stupid and inexcusable from a security standpoint but that doesn't make exploiting it right. As I said, I would have more sympathy if he were a legitimate security researcher who tried to go through the proper channels. As it stands, he is nothing but a troll that has devoted his entire life to making other people miserable and he finally trolled one person too many.

Re:Sorry (1)

newcastlejon (1483695) | 1 year,21 days | (#44216331)

...
Who would you blame? The bank or the guy?

Both of them. It needn't be an either-or. The guy shouldn't be messing around with the bank's systems, and the bank shouldn't make it so easy for him to do so.

Re:Sorry (3, Insightful)

interkin3tic (1469267) | 1 year,21 days | (#44215919)

Unfortunately, now there's a precedent for sending the next whistleblower to prison, even if said next whistleblower was a saint.

I suppose that probably would have happened anyway, since somehow companies think that a scapegoat will distract from their security lapses.

Re:Sorry (1)

c (8461) | 1 year,21 days | (#44216171)

if he had just gone to AT&T or acted responsibly in the disclosure, rather than trolling, he would most likely have never been charged.

I tend to agree with most of what you wrote, except that.

It's been shown time and time again that when it comes to reporting security issues, large corporations like AT&T have a very strong "shoot the messenger" tendency. Unless you can do it anonymously, reporting a disclosure to them is almost certain to get you charged.

Re:Sorry (2)

Glarimore (1795666) | 1 year,21 days | (#44216229)

He went to Gawker and leaked the information that he gained, victimizing all of those people in the process. Just because someone leaves a door unlocked or open does not give you the right to go in and steal stuff and this is no different.

A door being unlocked doesn't obligate you to inform the owner of the door, nor does is there any reason you can't tell someone else about it.

It is *beyond* stupid to swear at a federal judge and call her a "mean bitch" when she is the one that is sentencing you.

I think that, like with police officers, it is up to a judge to be the "bigger man" and realize that although it is rude, being a dick isn't something someone should get jail time for.

It is *beyond* stupid to go on a public forum and post that you intent to commit the same crimes again once you get out of prison.

It is stupid, but if the "crimes" that landed him in jail should not have lead him to be serving jail time to begin with, I think he has reason to make a big, public hub bub about it. The guy is an asshole, but I don't want any dangerous precedents being set just so he gets punished. Besides, there is nothing to gain from him being in jail.

His entire life has been dedicated to griefing people and generally being an asshole and yeah, the judge is going to look at that.

Maybe we should go ahead and throw Kanye West in jail the next time he getting a moving violation? I mean, the guy is generally an asshole.

Re:Sorry (0)

Anonymous Coward | 1 year,21 days | (#44216485)

It is *beyond* stupid to swear at a federal judge and call her a "mean bitch" when she is the one that is sentencing you.

I think that, like with police officers, it is up to a judge to be the "bigger man" and realize that although it is rude, being a dick isn't something someone should get jail time for.

Generally, I agree with you here. However, being a dick is something you can get jail time for. It's called contempt of court. She could've found him in contempt and tossed him in the lockup for a couple days if that was the case. Using it to affect sentencing instead is not awesome.

Re:Sorry (1)

jedidiah (1196) | 1 year,21 days | (#44216335)

> I'm finding trouble having sympathy for this guy.
>
> He manipulated URLs to access areas that were not publicly visible.

Which really only puts him at the "not suffering from downs syndrome" level of intelligence.

It's a public server. Permission is implicit in the fact that something is world readable. That is what those permissions are for.

Abusing trespass laws to prosecute people that enter public places is just Fascist nonsense.

Re:Sorry (1)

Anonymous Coward | 1 year,21 days | (#44217185)

I'm finding trouble having sympathy for this guy.

You're not supposed to.

It is *beyond* stupid to swear at a federal judge and call her a "mean bitch" when she is the one that is sentencing you.

Of course. Nevertheless, though, surely you would prefer to live in a world where doing that isn't stupid, where people are allowed to say what they think. If someone mouths off to a judge, we think they're going to be punished for doing that, but we hope they won't be.

On to the real meat of the issue:

he went to Gawker and leaked the information that he gained, victimizing all of those people in the process.

So charge him with something for that! This guy got punished for how he obtained the information, instead of being punished for his harm he intended to wreak with the information. There are tons of ways he could have acquired the database, and posting to gawker would be equally vicious conclusion to any story. The

Good! (0)

Anonymous Coward | 1 year,21 days | (#44215521)

Weev's conviction bad law, but if upheld, it will destroy independent security research, and perhaps the rest of consumer safety research as well.

Good. If we have safe secure products, the terrorists win!

Space Rogue? (0)

Anonymous Coward | 1 year,21 days | (#44215549)

Is a judge really going to read an amicus curiae brief from someone named "Space Rogue"?

Two words: RESPONSIBLE DISCLOSURE (2)

MobyDisk (75490) | 1 year,21 days | (#44215799)

RESPONSIBLE DISCLOSURE! RESPONSIBLE DISCLOSURE! RESPONSIBLE DISCLOSURE!

We need a law that states what is legally protected responsible vulnerability disclosure. Something that says "If you do it this way you are not a criminal." Something like:

1) Notify the responsible organization.
2) Give them X days.
3) After that, you may optionally notify a responsible government agency or industry organization like CERT.
4) Give them X days.
5) After that, you may go public with the information.
etc.

Anyone in the security industry should already know to do this, but a law would make it clear.

Re:Two words: RESPONSIBLE DISCLOSURE (1)

idontgno (624372) | 1 year,21 days | (#44216155)

But we already have a law [wikipedia.org] that accomplishes the intents and purposes of the only ones who matter: corporations.

In their mindset, there's no such thing as responsible disclosure. Any disclosure damages them and must be prevented and, if necessary, strongly punished. That way they can continue being incompetent and insecure (and save lots of money, so more profits for everyone who matters), and anyone who tries to uncover vulnerabilities will be treated as the anti-profit criminal worm they obviously are.

The ones who pay for the laws have gotten exactly the law they want. NOTABUG Working as designed.

Re:Two words: RESPONSIBLE DISCLOSURE (0)

Anonymous Coward | 1 year,21 days | (#44216427)

It's not a bug, it's a feature!

And the sentence length is growing (0)

Anonymous Coward | 1 year,21 days | (#44215923)

Just take a look at position papers like this one [cybercrimejournal.com] (fulltext PDF) and you'll see that while the average length of a computer-related conviction sentence may be somewhere around three years, they're calling for more. And all we have is the EFF standing between us and going to jail forever.

weak argument (0)

Anonymous Coward | 1 year,21 days | (#44215943)

The posters who show examples of more serious crimes like arson, rape and bloody murder that received short sentences is an argument for increasing those sentences not shortening Mr. Auernheimer's

The brief missed a useful use case (3, Insightful)

Anonymous Coward | 1 year,21 days | (#44216011)

The brief describes how a web request is like asking a librarian for a book.
    If the book is non-public she then asks for credentials and if they are ok gives you the book.
        Since the ATT's web server didn't ask for credentials, the web pages were fair game.

This misses another use case.
    It is also possible to include your credentials with the request for the book.
        A librarian would respond to this request for private data just like a request for public data.
          The included credentials could be a big, secure random number, or an obvious small number like the record number.

In some cases a web site uses a simple record number for public data so that a user can access it by providing the record number.
    In this case AT&T used a simple record number for private data which they did not want accessed.

One could argue that they 'locked' the data, but with a cheap lock.
    The thing is, one can recognize a physical lock and know to respect it.
          In this case the web server provided no indication that the data was private.
                In fact, as the brief outlines, it indicated the reverse.

From their reactions, both AT&T and the security guy knew the information contained in the data should not have been public
      The security guy did not benefit for the data, but rather published the problem so it would get fixed
            (Without this, good guys might have walked by this 'lock' but how many bad guys quietly didn't?)
      AT&T reacted to 'kill the messenger' by declaring after the fact that the data was private.

It doesn't seem good law to allow this to stand.
        1) It removes the feedback which closed the security hole.
        2) It allows the server owner to escape responsibility for a poor (perhaps dangerous) design.
        3) It makes it impossible to draw the line for 'normal' versus 'criminal' web browsing for us all.
        4) It leaves a generally harmless guy in jail for violating an after the fact business rule.

Re: The brief missed a useful use case (0)

Anonymous Coward | 1 year,21 days | (#44216673)

Your indentation is absurd.
Lrn2english, kthxbye.

Re:The brief missed a useful use case (1)

abiggerhammer (753022) | 1 year,21 days | (#44216883)

How is the record number a credential? The record number refers to the item to be retrieved. Using the record number as a credential (sent with the request or not) is terrible design -- you're literally saying that the credential to retrieve the record is the same as the identifier of the record, which reduces to an unauthenticated GET request. This isn't even one-factor authentication, it's no-factor authentication.

Re:The brief missed a useful use case (1)

Zero__Kelvin (151819) | 1 year,21 days | (#44217175)

That is some of the worst poetry I have ever read.

responsible disclosure? (0)

Anonymous Coward | 1 year,21 days | (#44216081)

ehm ... why not send ~100k emails with spoofed sender address (from:pissed-off-att-customer@example.com)
to AT&T complaining about how they're giving away their email addresses thru a leaky website?
i would personally like to know how the effected email-address-owners think about this ...

there is only one law, the rest are a facade (1)

Anonymous Coward | 1 year,21 days | (#44216103)

"thou shalt not inconvenience anyone with more power than you" is the whole of the law

if you break that law then the powerful people will make you suffer

in our civilized society the powerful people don't get their hands dirty personally so they hire goons to enforce their will

the goons wear uniforms and carry badges to symbolize how they are the extensions of the will of the powerful people, if a goon is useful and vicious enough he can join the ranks of the powerful himself

once you realize how the "law" works then everything else makes sense

Re: there is only one law, the rest are a facade (0)

Anonymous Coward | 1 year,21 days | (#44217009)

From which it also follows that the relatively small number of individuals with significant apparent power only maintain that power as long as the masses of people allow them to. Get enough people together willing to change the status quo (not a mean feat) and it changes, one way or another. Most important part of running an empire is to keep the "sheeple" content enough to not realize that they have more teeth than the wolves.

It could be unauthorized access, here's the logic (1)

tp_xyzzy (1575867) | 1 year,21 days | (#44216357)

If we consider the url trick to be operation that normal people would not do. Further, after url trick, he got access to someone elses account details. It's pretty similar to normal hacking operations -- find gaps in the protection of the data, and once found, utilize the gaps to cause damage. He bypasses security measures by skipping the authentication mechanisms and accessing someone elses account. In this case, every AT&T customer's account details. Once he saw the unauthorized account details, he didn't stop there, but created software to fetch all the data he can find. By this operation, he upgraded himself from normal web user to a software expert, and software experts are supposed to know that unauthorized access to someone elses data is not allowed. Convicting this guy no way changes the status of normal web users as amici thinks, but changes the status of software experts. Experts now need to be more careful about how they publish data. Software experts anyway need to be very careful what data to publish. Giving account details of someone else fetched from AT&T's servers to the press is just very stupid operation for a software expert. I say this is unauthorised access of AT&T's servers, recardless of what response the server is giving. The server configuration just doesn't matter. He bypassed the authentication mechanisms to access accounts of AT&T's customers. Jump from software expert to security researcher is tricky one. As software expert he's clearly breaking publishing rules. If he cannot make the jump from software expert to security researcher, then the conviction is just ok. Not all software experts need to be security researchers.

Pizzas are going to be cancelled (0)

Anonymous Coward | 1 year,21 days | (#44216425)

Let's hope eloh gets his 'za this time around.

F!ucKer (-1)

Anonymous Coward | 1 year,21 days | (#44216449)

The most? vibrant members' ckreative
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...