Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Is Weev Still In Jail Because the Government Doesn't Understand What Hacking Is?

samzenpus posted about 5 months ago | from the you-say-tomato-I-say-tomato dept.

United States 246

Daniel_Stuckey writes "Last March, weev, the notorious internet troll who seems to be equally celebrated and reviled, was convicted of accessing a computer without authorization and identity fraud, and sentenced to serve 41 months in prison.'He had to decrypt and decode, and do all of these things I don't even understand,' Assistant US Attorney Glenn Moramarco argued. Here, on a Wednesday morning in Philadelphia, before a packed courtroom, the federal prosecution argued that a hacker should spend three and a half years in prison for committing a crime it couldn't fully comprehend. Previously, Orin Kerr, a law professor at George Washington University and weev's defense attorney, had argued first and foremost that there was no criminal hacking to speak of. According to Kerr, what weev and Daniel Spitler (who pleaded guilty to avoid jail time) had done while working as an outfit called Goatse Security was entirely legal, even though it embarrassed public officials and some of the country's biggest corporations."

cancel ×

246 comments

Sorry! There are no comments related to the filter you selected.

Goatse Security??? (5, Funny)

wisnoskij (1206448) | about 5 months ago | (#46530413)

They totally sound trustworthy.

Re:Goatse Security??? (5, Funny)

ATMAvatar (648864) | about 5 months ago | (#46530471)

Why not? They know all about gaping holes... in security, among other things.

Re:Goatse Security??? (5, Funny)

artfulshrapnel (1893096) | about 5 months ago | (#46531077)

And backdoors.

Re:Goatse Security??? (3, Funny)

Anonymous Coward | about 5 months ago | (#46530473)

They totally sound trustworthy.

Some use security-by-obscurity
Others prefer security-by-scarity

In the 18th century ... (5, Insightful)

Taco Cowboy (5327) | about 5 months ago | (#46531247)

... people can claim that they did not know how to do witchcraft, but they could point out to the judge which person were witches which were not.

In the 21st century, people can claim that they do not know how to hack, but they can tell the court who are the hackers and who are not.

As if people never learned any lesson from what had transpired three long centuries ago.

Re:Goatse Security??? (5, Funny)

killkillkill (884238) | about 5 months ago | (#46530655)

Maybe they are, but I'll never find out. There's no way I'm clicking that link to learn more about them... Then again, it still might be easier on the eyes than Beta.

No. (1, Informative)

RyuuzakiTetsuya (195424) | about 5 months ago | (#46530431)

He's in jail because he accessed a crapload of records from ATT he shouldn't have.

Not to say ATT shouldn't have used better security, mind you, but thems the breaks. It's not like the end point he found was big P public. He found it snooping on the traffic from an ipad during sign up.

Further more instead of going to ATT, he went to Gawker first.

So. No.

Re: No. (5, Informative)

Anonymous Coward | about 5 months ago | (#46530507)

Any public URL that is unencrypted is not a secret. Snooping on plaintext is not snooping at all. And he had no legal requirement to notify AT&T first. Besides, even if he had, they don't care about security until it goes viral. I notified them of a information leak on their iOS translation app that allowed other apps access to your translations and location data. Not only were they unable to figure out who was responsible for the app, they ultimately told me to call Apple. I tried the support for the app as well as customer service. I email their PR rep too. Zero response.

Re: No. (1)

ShieldW0lf (601553) | about 5 months ago | (#46530765)

He should not have been found guilty of hacking.

But, he's a sadist who spreads misinformation and lies. Lethal injection.

Re: No. (5, Insightful)

dnavid (2842431) | about 5 months ago | (#46530915)

Any public URL that is unencrypted is not a secret. Snooping on plaintext is not snooping at all. And he had no legal requirement to notify AT&T first. Besides, even if he had, they don't care about security until it goes viral. I notified them of a information leak on their iOS translation app that allowed other apps access to your translations and location data. Not only were they unable to figure out who was responsible for the app, they ultimately told me to call Apple. I tried the support for the app as well as customer service. I email their PR rep too. Zero response.

I'm really uncomfortable with that logic. First of all saying that if all it takes is typing in a URL, then of course its public belies a level of ignorance just as high as the government in this case. "Just a URL" in the modern internet could be anything. SQL-injection is programmatic hijacking of a database server, but it often requires "just a URL." Buffer overflow attacks require just a URL, many apache worms required just a URL to propagate because of the way URL content can be processed. Just a URL is like saying all programs are just notepad documents. It cannot be the case that "if I can get there, then I get to take whatever I want" is the rule of the internet. I read in another article the analogy that AT&T basically put the material on a library bookshelf for anyone to read. That's not a good analogy: a better analogy is weev went to a public library, found that someone forgot to lock the door to the reserve stacks, and decided to go there and take a bunch of books home with him just because he could.

That is not the person I want to be the flag-bearer for my sense of fairness.

Second, giving anyone who points out a failing in others a free pass to point it out by any means is also something I'm really uncomfortable with. If its okay when done to big companies like AT&T and Apple, then its just as okay to do to smaller organizations like your neighborhood grocery store, or your house.

Re: No. (4, Insightful)

artfulshrapnel (1893096) | about 5 months ago | (#46531107)

I mean, fair enough. But if you can access every customer's record on a massive nationwide system by incrementing a single digit? That strikes me as "basically public". I sometimes exploit the same "hacking" to find the page of a webcomic I want to read if I forget the bookmark.

As the article says: Does he deserve to go to jail? Probably. For this? No.

Re: No. (1)

cheater512 (783349) | about 5 months ago | (#46531197)

You think there should be defences for someone codes a SQL injection in this day and age?

Because by penalising the 'attacker', you are creating a defence for it. They are the bad person, we are the victim.
When in reality it is pure incompetence - like leaving the till open and realising a hour later that it is empty.

Now I'm not saying that hacking websites is maliciously is right, but there needs to be a *greater* punishment against whoever allowed it to occur to begin with.
Someone who leaves the till open for an hour certainly will not keep their job for example.

Re: No. (3, Insightful)

Anonymous Coward | about 5 months ago | (#46531359)

yep, there's the good ol hacker "she was asking for it" defense.

the egg would have been all over at&t's face if this info had been released anonymously. but weev had his awesome internet persona to worry about.

someone forgot to tell him the cool part of hacking is not getting caught

Re: No. (2, Insightful)

Anonymous Coward | about 5 months ago | (#46531455)

How is this any different from someone just unlocking your front door because the lock mechanism is stupid and helping himself to all your belongings? Or how would you feel if you left your house and you left one of the windows open and so someone decided because the window was open, he is basically invited in to your house and can take whatever he wants? Only a fool would make that argument the thief has any right to be in your house. You can argue the homeowner should be more careful and get a better lock and close all his windows. You can argue that someone walking by and leaving a note to the house owner warning about the perils of being reckless is being a good citizen. However, the second this good citizen decides to actually enter the house and look around and take stuff, he is being a criminal.

Re: No. (3, Interesting)

king neckbeard (1801738) | about 5 months ago | (#46531515)

The notion is more that AT&T has a responsibility to its customers to diligently protect its customers' sensitive information. It's not really saying that there is nothing wrong with the actions, but rather that the far greater concern is the irresponsibility of the party whose security was so poor.

Let's take this idea to an extreme scenario, albeit one that's not too improbable. For a very long time, a nuclear launch code was actually '00000000.' Let's say some hacker had accessed their network, determined this was the case, and made all of the machines with displays on the network say 'Change the fucking password before you doom us all, you stupid fuckwits.' Who are you going to be angry at, the hacker who intercepted their network, or the party that ignored their responsibility in protecting something that could have potentially destroyed civilization as we know it?

Re: No. (0)

Anonymous Coward | about 5 months ago | (#46531851)

a server is not a fucking house, stop comparing apples with oranges

Re: No. (0)

Anonymous Coward | about 5 months ago | (#46531329)

> "Just a URL" in the modern internet could be anything.

Intentional or not, the interoperability is there. There are no guidelines indicating proper use of that api.

Re: No. (2)

sjames (1099) | about 5 months ago | (#46531689)

For the most part, on the web it really is up to the server to tell you if you're going somewhere forbidden. It's the only way to positively know.

I acknowledge that in this particular case, it could be argued that he should have soon realized that he was in a restricted area. However, given the convention (for the web AND for a physical business presence) and the ambiguity, it sounds like a misdemeanor charge at most to me.

If you're going to talk about fairness, you must address a 3.5 year prison sentence for discovering a few email addresses (and then not actually publishing them) in an unlocked back room.

Re: No. (-1)

Anonymous Coward | about 5 months ago | (#46531843)

Actually hacking (without using social engineering) should not be considered a crime at all (maybe an administrative violation, associated with a fee). It is a technical problem and should be solved by technical means. The company that leaks data because of bad security policies on the other hand should be fined to death, otherwise no company will take security seriously.

No thousand time no (2)

aepervius (535155) | about 5 months ago | (#46531577)

There is no difference to physical entity to electronic entity. Or are you pretending we need MORE law to regulate electronic/internet entity ? No ? Then imagine if I was telling you this :

"Any door that is unlocked is not a free for all. Openning and entering that door is not trespassing at all. And he had no legal requirement to notify the door owner first. "

We have already enough law on the book. If youa re accessing a direct URL and manipulate URL to see what is not normally accessible thru the public portal by a link, you are trespassing. Any "but it is not behind a lock / password" is a bullshit defense.

Re:No. (3, Insightful)

Charliemopps (1157495) | about 5 months ago | (#46530529)

Ah... no. If I can type the exploit into the address bar and I need no more than autohotkey to download their entire god damned database then that's not a hack. They made their bathroom walls out of glass and then complained that he was a peeping tom for setting up a webcam from across the street. Scuzzy? yes, but not illegal. The government shouldn't have to protect you from what common sense should.

So if you forget to lock your front door (4, Insightful)

Sycraft-fu (314770) | about 5 months ago | (#46530601)

And it blows open in the wind, I can just hop on in to your house and nose around?

The answer, in case you are wondering, is no. While you should take precautions to secure your house, your failure to do so is not the same as permission to enter or do as I please.

Re:So if you forget to lock your front door (4, Insightful)

Urza9814 (883915) | about 5 months ago | (#46530613)

This isn't a house, it's an office building.

And he didn't just walk in, the server provided the information to him.

So, he walks into an office building, asks the security guard if he can walk right up to the conference room, and the guard says 'yeah, sure, why not' so he does...and now he's being arrested for trespassing.

Re:So if you forget to lock your front door (2)

Cramer (69040) | about 5 months ago | (#46530971)

the server provided the information to him.

Right. He was just sitting there looking at a gmail screen when an AT&T server just started filling his browser with ICC's and email addresses.

He had to *request* the address for each, individual, ICC, through an internal interface that is not publicized. An interface he found while digging through the activation process (looking at the network traffic), apparently. The CFAA has no requirements for a lock-and-key system to constitute unauthorized access; without authorization is just what it says on the tin... no "authorization" has been given. (the old "well, they didn't tell me I couldn't" argument.)

Re:So if you forget to lock your front door (3, Funny)

bunratty (545641) | about 5 months ago | (#46531053)

Joshua called me!

Re:So if you forget to lock your front door (1)

Cramer (69040) | about 5 months ago | (#46531111)

Hah. Only because David called him first and hung up.

(by today's screwy courts, we'd add identity theft/fraud to his charges for pretending to be Prof. Falken, i.e. not correcting WOPR/Joshua when it asked.)

[I know, I'm ruining the movie.]

Re:So if you forget to lock your front door (1)

jklovanc (1603149) | about 5 months ago | (#46531033)

So, he walks into an office building, asks the security guard if he can walk right up to the conference room, and the guard says 'yeah, sure, why not' so he does...and now he's being arrested for trespassing.

A closer analogy would be the following;

Walk into an office building a few million times each time asking for different room numbers and when he find one that exists the security guard says "yeah, sure, why not"...

By the way the security guard is blind so he has no way of knowing if you have been there before.
It was the act of brute forcing the IMEIs with millions of attempts gaining over 100k email address that got Weev into trouble. The judge even said that had he stopped a few he would have gone free.

Re:So if you forget to lock your front door (3, Insightful)

amiga3D (567632) | about 5 months ago | (#46530695)

He never entered. He took pictures through the open door. Hell, they didn't even have a door, just a bead curtain that fell down.

Re:So if you forget to lock your front door (2)

jklovanc (1603149) | about 5 months ago | (#46531049)

How about if I did lock the door but you made a really fast key cutter and tried a million different keys on the lock and a few of them worked.

Re:So if you forget to lock your front door (0)

Anonymous Coward | about 5 months ago | (#46531069)

Well since you want to use that analogy. The whole client server part of the equation would make it more like this.

me: Hey can I come in (send the request url)
you: Yes come on in (you send the requested info)
me: Thanks, I see you are really into german scat porn

See no law broken yet your still embarrassed,

Re:So if you forget to lock your front door (1)

currently_awake (1248758) | about 5 months ago | (#46531123)

Step in your house, no. LOOK in your house from the curb, sure. If the doors are open it's a public place.

Re:So if you forget to lock your front door (1)

bzipitidoo (647217) | about 5 months ago | (#46531547)

Worse than that. Someone is walking along a public street, waving a sign at passing cars. This person didn't dress properly before going out in public, and has no clothes on. He does not get to sue all the drivers for being peeping toms. He can't complain if someone takes a picture. Instead, the police can arrest him for indecent exposure.

Anyone who hooks a server up to the Internet is going out in public. Dress appropriately.

It's a public building (0)

Anonymous Coward | about 5 months ago | (#46531651)

IT's like some public building where you are trying to find some desk or some info that you need and have permission to have, and wander in some door that was open. Then everyone jumps on you, claims you broke in, and you are spying, and stealing, and deserve to spen several years in jail. Completely different than private houses.

Re:So if you forget to lock your front door (1)

sjames (1099) | about 5 months ago | (#46531711)

The rules have always been different for a private home vs. a business open to the public. In particular, the default for a private residence is that you may not enter without invitation. For a business open to the public, the assumption is opposite.

It's why you don't have to ring the doorbell to go in to a shop when the door is unlocked and no closed sign is displayed.

Re:No. (2)

RyuuzakiTetsuya (195424) | about 5 months ago | (#46530799)

It's like walking through a door you know to be private property, you have no right to access, but because it's unlocked, you just walk through and start taking pictures of everything you see.

In reality, this is still trespassing and you're accessing something you have no authorization to access.

Granted, like I said, AT&T isn't off the hook for lousy security, but this doesn't forgive what weev did.

Exactly. (0)

Anonymous Coward | about 5 months ago | (#46530845)

What I find hilarious is that I have a biology professor, biology not computer science, who advises his students to access the yet unreleased class schedule for future quarters by entering the URL for existing ones just a little differently.

Re:Exactly. (0)

Anonymous Coward | about 5 months ago | (#46531791)

You are easily amused.

Re:No. (4, Insightful)

jklovanc (1603149) | about 5 months ago | (#46530897)

Ah... no. If I can type the exploit into the address bar and I need no more than autohotkey to download their entire god damned database then that's not a hack

Too bad that is not what happened. He tried millions of possible IMEIs to get the information. That is not far off from a brute force password attack. That was also where the identity fraud charge came from. The IMEI is used to identify the owner of the phone and by using someone else'es IMEI her was fraudulently acting as the owner of the phone.

Re:No. (0)

phantomfive (622387) | about 5 months ago | (#46530909)

Ah... no. If I can type the exploit into the address bar and I need no more than autohotkey to download their entire god damned database then that's not.....not illegal.

It absolutely is illegal. You are trying to argue that it shouldn't be illegal, and you might be right, but that's a different topic. He's in jail exactly because it's illegal.

This guy's a griefer. He goes around trying to hurt people, trying to stay within the bounds of legality. In this case he accidentally crossed the line without realizing it, and now he's in jail. That's what happens when you are a griefer; because you make enough people mad, they'll be watching and waiting for you to make one mistake.

Re:No. (1)

TrollstonButterbeans (2914995) | about 5 months ago | (#46531383)

> "If I can type the exploit into the address bar and I need no more than autohotkey to download their entire god damned database then that's not a hack"

Quit being a weeny and go do it!

Then you can be cell-mates with weev, and everyone can point fingers at you and laugh.

["Yout honor, I didn't burn down that house, it was the house being made of wood that was unsafe because fires occur in nature ..."]

Re:No. (5, Insightful)

Frobnicator (565869) | about 5 months ago | (#46530539)

Further more instead of going to ATT, he went to Gawker first.

This, a thousand times.

When you discover a vulnerability:
* Do not go to the vendor. They will often ignore it or sue.
* Do not go to the school or business. They will ignore it, sue, fire, and expel.
* Do not go to the government. They will imprison.
* Do not go to the Interwebz at large. You get everything above.

Take the exploit and related proof to a trusted, large, well-established security company that accepts anonymous submissions and will publicly disclose the exploit if not addressed within a specific number of days.

Re:No. (2, Insightful)

Anonymous Coward | about 5 months ago | (#46530681)

Further more instead of going to ATT, he went to Gawker first.

This, a thousand times.

When you discover a vulnerability:

* Do not go to the vendor. They will often ignore it or sue.

* Do not go to the school or business. They will ignore it, sue, fire, and expel.

* Do not go to the government. They will imprison.

* Do not go to the Interwebz at large. You get everything above.

Take the exploit and related proof to a trusted, large, well-established security company that accepts anonymous submissions and will publicly disclose the exploit if not addressed within a specific number of days.

Or you could sell it, and make potentially a lot of money, and not have to deal with any of the above consequences.

I believe this is what is called a perverse incentive.

Re:No. (1)

amiga3D (567632) | about 5 months ago | (#46530701)

Better yet, sell it to the highest bidder.

Re:No. (1)

arth1 (260657) | about 5 months ago | (#46531205)

Better yet, sell it to the highest bidder.

That would presumably be a three letter agency, which might not fit with your ideology.

Re:No. (4, Insightful)

epyT-R (613989) | about 5 months ago | (#46530743)

Fuck that. If disclosing it to these people puts yourself at great risk, it's no wonder it just gets uploaded to the most convenient 0day full disclosure community. Then they HAVE to take it seriously. The broken dynamic is the fault of corporates and governments, not 'hackers.'

Re:No. (1)

Aviation Pete (252403) | about 5 months ago | (#46531847)

The broken dynamic is the fault of corporates and governments, not 'hackers.'

Let's be more specific. It's the fault of lawyers. There are many decent people in corps and governments, and even decent lawyers, but the bad ones poison the well for all others.

Re:No. (4, Informative)

Darinbob (1142669) | about 5 months ago | (#46530611)

Can we prosecute the NSA for the same crime? Presumably if the prosecutor doesn't fully understand what NSA actually did then that should be good enough to convict.

Re:No. (1, Insightful)

Anonymous Coward | about 5 months ago | (#46531131)

This approach worked pretty well against the NSA in the court of public opinion

Re:No. (0)

Anonymous Coward | about 5 months ago | (#46530633)

So they can put HIM away for a crime they can't understand, but they can't do that for the bankers apparently.

Once again, evidence of two sets of laws, depending on how connected/rich you are.

Re:No. (1)

marcello_dl (667940) | about 5 months ago | (#46531695)

This is irrelevant.
A troll jailed for no reason is a fitting punishment for a troll anyway, so there.

Weev = Miserable Internet Troll (New York Times) (2)

PocketPick (798123) | about 5 months ago | (#46531811)

Honestly, based on all indicators from the press over the last couple years, Weev has been a fairly miserable human being on most accounts, interested in causing disruption and not much else. The New York Times in particular did a very good expose on a number of individuals (Including Weev), covering their behaviors over the last couple of years, and their admitted trolling behaviors.
  * http://www.nytimes.com/2008/08... [nytimes.com]

Here is a gem, highlighting some of his conduct.
Weev, the troll who thought hacking the epilepsy site was immoral, is legendary among trolls. He is said to have jammed the cellphones of daughters of C.E.O.’s and demanded ransom from their fathers; he is also said to have trashed his enemies’ credit ratings. Better documented are his repeated assaults on LiveJournal, an online diary site where he himself maintains a personal blog. Working with a group of fellow hackers and trolls, he once obtained access to thousands of user accounts.

I first met Weev in an online chat room that I visited while staying at Fortuny’s house. “I hack, I ruin, I make piles of money,” he boasted. “I make people afraid for their lives.” On the phone that night, Weev displayed a misanthropy far harsher than Fortuny’s. “Trolling is basically Internet eugenics,” he said, his voice pitching up like a jet engine on the runway. “I want everyone off the Internet. Bloggers are filth. They need to be destroyed. Blogging gives the illusion of participation to a bunch of retards. . . . We need to put these people in the oven!”

I don't know why people would do, or admit, things such as what the New York Times describes (usually it involves some kind of mental disorders)...but in the end, it all caught up to him.

WARNING!!! Goatse.cx link (-1)

Anonymous Coward | about 5 months ago | (#46530447)

goatse.cx [goatse.cx] link right here.

Its due to the courts' zeal for punishment (2, Informative)

Burz (138833) | about 5 months ago | (#46530459)

...particularly for punishing small fries who get in the way of large corporate interests and other big shots.

Along the same lines, we can ask why 'Bidder 70' went to jail [billmoyers.com] for stopping the illegal sale of public land.

Re:Its due to the courts' zeal for punishment (0)

Anonymous Coward | about 5 months ago | (#46530491)

yeah, but, bro he can write a book and become a pundit on the geek circuit after he gets out. this is the greatest thing that ever happened to his career.

Re:Its due to the courts' zeal for punishment (1)

Burz (138833) | about 5 months ago | (#46531055)

He's no Tony Blair or even a Mitnick or a Zimmermann. He might make $10k if he's lucky.

Re:Its due to the courts' zeal for punishment (3, Interesting)

Anonymous Coward | about 5 months ago | (#46530645)

and well..

quite frankly due to the prosecutor not understanding what he had been doing it's just about punishing for joking around. it should be illegal to prosecute something you can't understand. "I don't know what he did but he sure looks guilty, right!? you must convict!".

circa 1997 this happened to me, sort of. ran a traceroute on the wrong night to see where my emails were routed through(our school mandated the use of an internal email system where server wasn't internal and there was no encryption on the email clients(email client was mandated to be a certain windows email reader). now of course I had my machine full of warez(games and early music warez), winnukes, jolt of the day etc(and had winnuked some people so not totally innocent really of everything).

but what shocked me was the police interrogation, because they tried to make me sign something I had not said, because they did not understand the claims made by the "victim"(city) were impossible to have happened from my actions(and claiming shit like me crashing hospital internal network, hopping a supposed airgap and other stuff that I did not do, they just had some internal meltdown of the windows servers routing the traffic on the same day). the way the interrogation went was "you know what you did, tell us" and 16 year old me going "what the fuck dudes?".

originally they wanted me to confess to something technically impossible and it took them nearly 2 years to figure out that they did not know what to charge me with(and for the prosecutor to deem the investigation incompetently done and drop it, and it cost the state quite a lot for nothing...). I mean, the

posting anon but it's not too hard to figure out who this is for those who know.

anyway, doesn't matter which western country you live in always check what the coppers want you to sign and ask the fuckers to rewrite it to match what you actually said. after that ordeal I was convinced 20-30% of "solved" crimes are just pinned on some druggies in withdrawal who don't read what they sign.

Re:Its due to the courts' zeal for punishment (1)

Burz (138833) | about 5 months ago | (#46531061)

and well..

quite frankly due to the prosecutor not understanding what he had been doing it's just about punishing for joking around. it should be illegal to prosecute something you can't understand. "I don't know what he did but he sure looks guilty, right!? you must convict!".

circa 1997 this happened to me, sort of. ran a traceroute on the wrong night to see where my emails were routed through(our school mandated the use of an internal email system where server wasn't internal and there was no encryption on the email clients(email client was mandated to be a certain windows email reader). now of course I had my machine full of warez(games and early music warez), winnukes, jolt of the day etc(and had winnuked some people so not totally innocent really of everything).

but what shocked me was the police interrogation, because they tried to make me sign something I had not said, because they did not understand the claims made by the "victim"(city) were impossible to have happened from my actions(and claiming shit like me crashing hospital internal network, hopping a supposed airgap and other stuff that I did not do, they just had some internal meltdown of the windows servers routing the traffic on the same day). the way the interrogation went was "you know what you did, tell us" and 16 year old me going "what the fuck dudes?".

originally they wanted me to confess to something technically impossible and it took them nearly 2 years to figure out that they did not know what to charge me with(and for the prosecutor to deem the investigation incompetently done and drop it, and it cost the state quite a lot for nothing...). I mean, the

posting anon but it's not too hard to figure out who this is for those who know.

anyway, doesn't matter which western country you live in always check what the coppers want you to sign and ask the fuckers to rewrite it to match what you actually said. after that ordeal I was convinced 20-30% of "solved" crimes are just pinned on some druggies in withdrawal who don't read what they sign.

Thanks for the advice.

Re:Its due to the courts' zeal for punishment (2)

SuricouRaven (1897204) | about 5 months ago | (#46531777)

Investigations cost time and money, and can potentially be embarassing. So prosecutors really want to skip all of that and just get a nice simply guilty plea. They have a few tricks to make that happen, the most obvious being the use of threats - they'll come up with a list of charges long enough to get you jailed for fifty years or more, but then generously agree to drop almost all of them if you back down then and there and agree to plead guilty to the most minor ones and just do a couple of years or pay a big fine. Often the charges they threaten with are unlikely to hold up in court, but it doesn't matter - the possibility alone can be sufficiently intimidating.

The police themselves are just doing the groundwork. If they can secure the confession first it saves prosecutor-time, and they get all the glory for themselves too.

Mechanical rodent (1)

Anonymous Coward | about 5 months ago | (#46530545)

"He used some sort of mechanical rodent attached to an electric typewriter to 'click' on some things. It was way over my head so he's guilty of something!"

Everyone on /b/ needs jailtime (1)

Anonymous Coward | about 5 months ago | (#46530553)

Purposely trolling, but my point is that the majority of /b/ 's content is illegal, endorsing criminal behavior, or inducing people to kill themselves.

If someone was thrown in jail for something they posted on /b/, they certainly deserve it (if only to send the message that there are consequences to bad behavior,) but as for lenght of jailtime, probably should not be treated the same as ... you know holding a gun to someones head in a game of russian roulette.

The act of dox'ing is often done by people who are "4chan fags" and work for mobile carriers or ecommerce sites, have access to an extremely large amount of identity information, enough to screw over the real people's identity they mess with.

Trolling stops being a "joke" when someone suffers emotional, financial or physical harm. Unfortunately the only the last two have consequences.

Re:Everyone on /b/ needs jailtime (-1)

Anonymous Coward | about 5 months ago | (#46530585)

Trolling stops being a "joke" when someone suffers emotional, financial or physical harm.

Fuck you, you need to kill yourself.

Re:Everyone on /b/ needs jailtime (0)

Anonymous Coward | about 5 months ago | (#46530995)

Your freedom end where my feeling begin! That may be as little I feel like, and tomorrow I may feel otherwise. Emotional suffering is the worst of all because it affect mostly women.

Trolling are always funny. If you don't have the maturity to laugh it off or ignore speech that offend you, then get off the tubes. The interweb are for adults, not whining children.

Re:Everyone on /b/ needs jailtime (2)

arth1 (260657) | about 5 months ago | (#46531267)

you know holding a gun to someones head in a game of russian roulette.

You're doing it wrong.

Goatse security (1)

iamacat (583406) | about 5 months ago | (#46530595)

No idea about the legal aspects, but given the images that the name brings to mind I think I would pass on its services.

Beta is broken and just doesn't work why even call (2)

MeNeXT (200840) | about 5 months ago | (#46530603)

Can we please stop this foolishness. Now I'm off to reddit where I can enjoy my free time.

Once more in plain English Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.

Re:Beta is broken and just doesn't work why even c (0)

Anonymous Coward | about 5 months ago | (#46530947)

Can we please stop this foolishness. Now I'm off to reddit where I can enjoy my free time.

Once more in plain English Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.

Dude. It's not that difficult:

  1) Enable cookies and javascript in your browser of choice.
  2) go to beta first [slashdot.org]
  3) Now you can access classic [slashdot.org] .

If you get tripped up following the above instructions, you may want to lay off the Dew.

Re:Beta is broken and just doesn't work why even c (1)

phantomfive (622387) | about 5 months ago | (#46530959)

Classic works for me, remove the 'beta' stuff from the url

Re: Beta is broken and just doesn't work why even (4, Insightful)

AudioEfex (637163) | about 5 months ago | (#46531087)

"Classic works for me, remove the 'beta' stuff from the url."

Be careful, or you'll be tossed in jail for hacking /.

Re: Beta is broken and just doesn't work why even (1)

phantomfive (622387) | about 5 months ago | (#46531113)

If I find a bunch of people's personal information, and throw it online somewhere, I probably will be.

change url in your browser to... (0)

Anonymous Coward | about 5 months ago | (#46531011)

fuckbeta.slashdot.org/blahblah

Gives you original view.

Leaves a nice record of your opinion.

THIS works... apk (0)

Anonymous Coward | about 5 months ago | (#46531243)

Put these hardcoded lines into your hosts file:

216.34.181.45 slashdot.org
216.34.181.45 beta.slashdot.org
216.34.181.46 images.slashdot.org
216.34.181.48 it.slashdot.org
216.34.181.48 developers.slashdot.org
216.34.181.48 yro.slashdot.org
216.34.181.48 mobile.slashdot.org
216.34.181.48 news.slashdot.org
216.34.181.48 ask.slashdot.org
216.34.181.48 tech.slashdot.org
216.34.181.48 apple.slashdot.org
216.34.181.48 books.slashdot.org
216.34.181.48 games.slashdot.org
216.34.181.48 hardware.slashdot.org
216.34.181.48 interviews.slashdot.org
216.34.181.48 linux.slashdot.org
216.34.181.48 science.slashdot.org
216.34.181.48 idle.slashdot.org

* Don't use anything that takes a cookie either (registered 'luser' accounts) & you're in (you can still use javascript, but it only slows you down really)... NO MORE "BETA", period!

APK

P.S.=> It works - I never, EVER, see the beta they were redirecting me to (without my consent or even asking me no less)... apk

Quick, somebody tell the admin of goatse.fr (0)

Anonymous Coward | about 5 months ago | (#46530605)

A link to his site is on frontpage of the slashdot... I mean, this is gross loss of such an opportunity to redirect.....

Donning CBR Gear (5, Insightful)

IonOtter (629215) | about 5 months ago | (#46530637)

Weev is whale turds. He's the lowest of the low, he knows it, and he relishes it. He's like a wolverine, pissing and shitting on the carcass he found, so nobody else will try to eat it, even though he can't stand his own stench.

Which is why it sucks so God Damned much to have to defend his useless ass!

But then, if you can't defend the worst of the worst from clear injustice, then we don't even have the hope of having a republic.

Re:Donning CBR Gear (1)

AudioEfex (637163) | about 5 months ago | (#46531435)

Idealism is noble and all, but sometimes in general when I read /. comments these days I feel like folks are missing that "ideal" is mostly an imaginative concept. Combined with the slippery slope fallacy, a spoonful of pseudo-anarchy idolatry, and a dollop of moral relativity, it would seem that we are in the face of impending doom with every little tiny ripple in the vast ocean of life.

This guy is a complete, disgusting, repulsive, degenerate, piece of garbage that deserves what he is getting right now. And I'm sure he is getting it quite regularly, quite possibly for the first time in his life.

Is how it happened ideal? No. Is it the beginning of the end of Western Civilization? No. Is it just? You bet your ass it is.

What you have here is an idiot prosecutor, who didn't know enough not to admit what he didn't know. Is the law often ignorant of technology? Yes, particularly this time, but the world self-corrected in this case (it tends to do that) and still stuck this little bastard in jail. Would it have been more ideal if he had been held accountable for the countless other things he likely deserves to be punished for (a lot of which we don't have laws for yet but should be punishable)? Of course. But it didn't go down that way, it went down this way. The end result is the same - he's some bad man's bitch right now, and getting a nice taste of the bitter he has put countless others through. He's lucky that thus far this has been the worst repercussion of his actions.

Civilization will continue to march on, this guy is getting what he deserves. Sometimes, the means don't matter nearly as much as the end result - regardless of the idealistic thinking that everything needs to happen "the right" way. And though AT&T also should be taken to task for not locking the door properly, he knew what he was doing when he was entering, and all this moral relativist bullshit I see in a lot of these posts (not yours in particular) is just that - bullshit. He's no white hat, he's no whistle-blower - he's a creep who was likely trying to "legitimize" himself as more than the grade-school "haxor" he is (which is why he chose the venue he did and did not take any steps to conceal his identity). He got burned. And the world is a better place with him locked up in a jail cell. That's what matters, and no slippery slope has begun.

Re:Donning CBR Gear (4, Insightful)

king neckbeard (1801738) | about 5 months ago | (#46531567)

Actually, it is a big concern when the justice system is perverted against its fundamental ideals. We used the whole 'ends justify the means, so fuck the rules' crap to take down some mob bosses, and now we have all the RICO crap and civili forfeiture is commonplace. This allows unjust and impractical laws to stand unchallenged because the state can nail anybody if they really want to, and they have the leverage to make most people plea bargain out. We commit crimes on a regular basis because of our incredibly complex legal system, the NSA tracks every time we wipe our ass, and they drop information to locals for 'parallel construction.' That means that, absent sufficient public outcry and scrutiny, they can put anyone in jail whenever they want.

Our justice system was set up the way it is for a very good reason, and it's incredibly naive of you to think that this is okay because weev is an asshole.

Re:Donning CBR Gear (1)

phantomfive (622387) | about 5 months ago | (#46531499)

Intent matters. He wasn't trying to help AT&T expose a security weakness, he wasn't trying to help the users whose data was exposed.

You don't need to defend people who are only trying to hurt others.

He should not have said who he is (0)

Anonymous Coward | about 5 months ago | (#46530641)

If he wanted them to fix their site, he could have offered money. If they ignore, then *anonymously from an internet cafe*, get onto their site, and put up pictures of Goatse with the words Pwned in blinking red neon, and "their site security suxor!" At some point, they will either clue up, or if they don't, start using their site to push illegal content. If the RIAA/MPAA goes after them like it goes after Google, then after seeing money sucked out the door, their CXO's will clue up about security (or maybe not, they aren't that clueful to begin with).

He did the wrong crime (1)

DigiShaman (671371) | about 5 months ago | (#46530677)

If he raped, stole, did drugs, mugged someone, I bet he would get far less time. There are even whole groups of people that get arrested over 60+ times!!! [google.com]

Don't hack. To do so might mean maximum prison in solitary confinement. You think I'm joking, but that's how afraid these clueless people are. They view hackers as some magic wizards that can open cell doors with thought alone.

He's a useless fucktard (0)

Anonymous Coward | about 5 months ago | (#46530687)

I see no reason why we shouldn't let him rot. The internet is much improved without him around it.

Prosecutors did a Google search... (1)

Nova Express (100383) | about 5 months ago | (#46530731)

...for the name of his security company, clicked on the first link, and said "OK, asshole, now you're going down!"

Now insert your own PMITA Prison/Goatse joke here...

Good! (0)

Anonymous Coward | about 5 months ago | (#46530749)

I'm glad they finally got this dickhead for something. He deserves every minute of incarceration.

An NPR reporter confessed to the same crime (0)

Anonymous Coward | about 5 months ago | (#46530761)

http://www.reddit.com/r/netsec/comments/1w5cfe/npr_reporter_confesses_to_same_crime_as_andrew/

And hasn't been caught yet.

Re:An NPR reporter confessed to the same crime (1)

RyuuzakiTetsuya (195424) | about 5 months ago | (#46530835)

Because Netflix isn't pressing charges.

If person A trespasses on person B's property, and then charges them for trespassing, it's not hypocrisy when person C walks in on person D's property and they don't care.

Further more, Alexis Madrigal didn't scrape 110k+ emails from Netflix's customer database.

Re:An NPR reporter confessed to the same crime (1)

jklovanc (1603149) | about 5 months ago | (#46530987)

Here are a couple of differences between what Weev did and what the reporter did.

Reporter
Tried a sequence of numbers totaling maybe 100k in sequence of which most were valid.
The data retrieved is movie genre tags. The use of the data is to translate a number into a string of text to display the Netfix genre code on browsers and apps. There is no privacy concerns or profit potential for this data.
Each data point retrieved is designed to be used by millions of people. Anyone with "Japanese Horror Movies" in their list would use code 10,000.

Weev
Tried millions of possibilities of which most were invalid
The data downloaded was valid email addresses of over 100k people. This is a serious privacy breach as these emails can be used as identity on many web sites and sold to spammers which will facilitate spam.
The data is designed to be used by the owner of the phone as identified by the IMEI and not anyone who can spam enough possible IMEIs to fins a valid one.

Sorry but these are very different things. The Netflix database was meant to be public while the iPad one was not.

Re:An NPR reporter confessed to the same crime (1)

theArtificial (613980) | about 5 months ago | (#46531191)

Sorry but these are very different things. The Netflix database was meant to be public while the iPad one was not.

The fact is both were on web servers. The entire point of a web server is to handle requests, if you don't want something publicly accessible, begin by not putting it online. How are we to determine what is or isn't authorized? If you put something online, and later say that someone wasn't supposed to access it, who is liable?

The data is designed to be used by the owner of the phone as identified by the IMEI and not anyone who can spam enough possible IMEIs to fins a valid one.

If only there were some way to flag and block repeated attempts... this is about as brilliant as those folks who decided using a Social Security Number as a means of identification.

TL;DR Defending negligence will not improve things.

Re:An NPR reporter confessed to the same crime (1)

jklovanc (1603149) | about 5 months ago | (#46531239)

if you don't want something publicly accessible, begin by not putting it online

So no online banks, credit card companies, etc. Just because it is on the web does not mean it is public.

Defending negligence will not improve things.

Defending people who exploit negligence does not improve things either. In my opinion there should be consequences for both Weeve and Apple.

Re:An NPR reporter confessed to the same crime (1)

theArtificial (613980) | about 5 months ago | (#46531533)

So no online banks, credit card companies, etc. Just because it is on the web does not mean it is public.

Absolutely it does, it's implicit when it's on the web (short for World Wide Web) especially without authentication (doesn't that usually involve username + password?). Ultimately I believe you're arguing about intent of the organization, something the web server and client know nothing about. Requests (not demands) are received, and the web server replies. Private networks are just that, not publicly accessible. This is the digital equiv. of driving down various streets (publicly accessible addresses) incrementally and being provided with information at the end.

How is an organization not responsible for what they put online, after all are they not the ones solely authorized to determine what they want to provide others access to? It's not like this involved a username and password like the online banks or credit cards do.

Remember those folks who would share out their entire drives on file sharing networks? It's not up to a client to determine validity of who is or isn't authorized - that's the job of the people configuring the server. It is up to the entity operating the server to ensure that data is protected, authentication isn't anything new, especially robust systems. Would you defend the government for making a system where simply using a street address would allow one access to information (taxes etc.)? How about your Bank? Explain your reasoning, please.

Defending people who exploit negligence does not improve things either.

What does this have to do with my point, you think I like this asshole? Are you under the impression that making an example out of this guy will somehow improve things? If that were the case simply putting a guy through the system, the first time, would've sent the message loud and clear! If you're a customer of this company after this, you're crazy but I can understand how you'd be upset; although you should really focus on WHY THIS HAPPENED. You're ready to punish him for what amounts to an embarrassment. Also, you included email addresses in your rant, FYI email addresses are not private information. They're as private as a phone number is (something listed in directories and/or published in books).

You make a point of mentioning that this occurred thousands of times. What if you clicked on a link via a URL shortening service that directed you to one of these links, do you think you should be put in jail? Is it an exploit only if you do it x number of times? Do you think you should be liable for fraud for entering IMEI#s? What about accessing a website or service when its really busy (DDOS)? What about visiting slashdot and typing in an account name that's a misspelling of yours which happens to have the same password? Swap out slashdot with your bank of choice. Is it criminal now since it's "unauthorized access" of a computer system?

Lazy/incompetent/unprofessional people get no sympathy from me, they've earned this, and the company (developers, sysops, and managers in charge of these systems) need to own up to their shitty half baked design and policies. They deserve to get their feet held to the fire. If they're unable to perform, there isn't a shortage qualified people who would jump at a chance to take their places in a fucking heartbeat.

Re:An NPR reporter confessed to the same crime (2)

jklovanc (1603149) | about 5 months ago | (#46531683)

Would you defend the government for making a system where simply using a street address would allow one access to information (taxes etc.)? How about your Bank? Explain your reasoning, please.

I am not defending AT&T. I think they should be heavily fined and hopefully someone go to jail. I also think that someone who exploited the hole should also be sent to jail and heavily fined. The only people I am defending are the ones who had their information stolen.

Absolutely it does, it's implicit when it's on the web (short for World Wide Web) especially without authentication (doesn't that usually involve username + password?)

There are some authentications that do not use user/password. For example, Paypal Payflow uses a signature which is a single long number that identifies that account and gives authorization for access. It is a single number somewhat like an IMEI.

FYI email addresses are not private information.

Have you ever seen an directory of email addresses? There may be a reason for that. I have looked and I have not found a legal definition one way or the other. By the way, the parallel with phone numbers may be flawed as some numbers are unlisted and not allowed to be published in directories. I believe that the owner of the number must authorize listing the number.

You make a point of mentioning that this occurred thousands of times.

Make that millions of time with millions of different combinations.

What if you clicked on a link via a URL shortening service that directed you to one of these links, do you think you should be put in jail?

That is one URL and not millions of different URLs.

Do you think you should be liable for fraud for entering IMEI#s?

Yes, if the IMEI does not belong to you or you have not been authorized by the owner to use it.

What about accessing a website or service when its really busy (DDOS)?

If most of that load is caused by your servers hitting their servers then yes. If it is by normal browser traffic then no.

What about visiting slashdot and typing in an account name that's a misspelling of yours which happens to have the same password?

Don't you see how this is very different from trying millions of different password combinations? One of the precepts of law is intent. It is pretty easy to show no intent when typing in a few incorrect characters. It is easy to show intents when you create a script that generates millions of possible IMEIs and spams a server with them.

Lazy/incompetent/unprofessional people get no sympathy from me

I completely agree. I also think that people who exploit flaws for the purpose of profit and/or self aggrandizement should be held accountable for their actions.
We are actually not too far apart. In my view the problem was caused by both Weev and AT&T they both should be prosecuted. What do you think?

Re:An NPR reporter confessed to the same crime (1)

king neckbeard (1801738) | about 5 months ago | (#46531581)

If the consequences for weev and Apple/AT&T were roughly proportional, there would probably be a lot less outcry. However, as far as a cursory search reveals, they didn't receive any kind of reprimand other than looking like idiots.

Re:An NPR reporter confessed to the same crime (1)

jklovanc (1603149) | about 5 months ago | (#46531709)

Agreed. If more people took the stance of "both are wrong and should be punished" maybe something would happen. The "Weev is innocent" chant just muddies the waters and dilutes any pressure to prosecute AT&T.

The Free World Defense? (1)

fullback (968784) | about 5 months ago | (#46530879)

Maybe they should have told the court that they had no authority to charge or even know any information about the case or the defendant's actions since national security and the safety of entire free world was at stake. That seems to scare every other court off, right?

Wait... (1)

koan (80826) | about 5 months ago | (#46530925)

You're telling me slashdotters don't want to see a troll go to prison?

The screwup of law (1)

the_Bionic_lemming (446569) | about 5 months ago | (#46530943)

If someone dangles their genitals while traffic passing by can see, take a picture of, and release publicly while informing the police of the infraction can be arrested for dangling their genitals in public view - I find it completely mind boggling that the same enforcement can't be brought against a company that dangles their genitals on the intraweb.

A hundred years from now... (1)

FuzzNugget (2840687) | about 5 months ago | (#46530945)

We will look back on things like this and think, "Holy shit, we imprisoned people for that? Man, that was stupid. I'm sure glad I didn't live in that barbaric era of witch-huntery!"

Re:A hundred years from now... (3)

JockTroll (996521) | about 5 months ago | (#46531719)

You're wrong: we will look back on things like this and mutter "this is how it started". And then a friendly security patrolman (they will be called that way) will look at us sternly from behind a dark visor and growl: "Are you harboring illegal thoughts, citizen? We are watching you."

I don't know whether it's illegal or not. (1)

Vellmont (569020) | about 5 months ago | (#46531161)

What he did seems rather grey to me. I don't exactly buy the argument that this was legit access. Especially when he went and downloaded 140,000 some email addresses.

41 months does seem like a ridiculous sentence for stealing some freaking email addresses though. Is it really supposed to be worse just because he got Michel Bloomberg's email address? Isn't punishment supposed to be based on harm done? For a crime, this sounds pretty penny-anty.

I did exactly the same thing. (1)

Anonymous Coward | about 5 months ago | (#46531189)

In 1997, MT&T launched RADSL service Mpoweredpc.net(7mbps down, 1.088mbps up $45mo)t; As a customer they gave me a printout of a url for my account information. I modified a few random looking numbers on the URL and sure enough, it was an ID for other customers profiles(could go through them all)!! I even had access to their original email passwords(if they had not changed them, I knew this from my own profile).
I immediately reported it to the company, and even sent several follow up emails, yet it took them a good 6 months for them to close the security 'hole'.

There's something to be said for going public, it makes companies get their asses in gear... Better news sites than hacker ones of course, not that back then it would have done anything, as IT news was pretty weak).

hot (0)

Anonymous Coward | about 5 months ago | (#46531311)

http://3gp2orn.blogspot.com/

In my opinion... (0)

Anonymous Coward | about 5 months ago | (#46531611)

IMO, you shouldn't be able to prosecute a crime you can't comprehend. They need a lawyer with a brain for something other than just law.

NYtimes, I never got to Weev (1)

Trax3001BBS (2368736) | about 5 months ago | (#46531899)

I started at the NYtimes link and it wore me out; it was supposedly about Weev, going from "a hero", to /b/, to Lulz and that was just the prep, I didn't care to read any more about it.

http://www.nytimes.com/2008/08... [nytimes.com]

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>