
FBI and Secret Service Files: Aaron Swartz - signa11
http://www.theblackvault.com/m/articles/view/Aaron-Swartz
======
pocketheyman
Kind of interesting, according to the case file, the PACER records were being
pulled en masse during normal court hours (typically when courts are also
accessing the PACER database). A user noticed that PACER was going slow and
notified PACER of the apparent slowness. Looks like they investigated, shut
the PACER system down and were able to detect the requests were coming from an
Amazon Web Hosting account linked to Swartz.

I find this interesting because it wasn't some flag on the PACER system
screaming "HEY SOMEONE IS DOWNLOADING THESE EVERY TWO SECONDS" but instead was
noticed because some law clerk was irritated at how slow the server was at
responding.

~~~
meowface
This is similar to how many breaches and DDoS attacks are discovered. Lots of
companies have absolutely no controls to detect the most basic of flooding or
spidering behavior.

~~~
UnoriginalGuy
First off: Totally true.

Secondly: Devil's advocate, but it is a "hard problem." It is easy to look for
behaviour on the system, it is very hard to look for patterns of behaviour.

I mean let's say that some of your users are normal court clerks, it wouldn't
be unusual to see them sit around and pull tons of records all day every day.
So how do you pick up normal requests on-mass and unusual requests on-mass?

If I was in charge of protecting such a system I wouldn't even attempt to
detect this (too hard). Instead what I would do is make it impossible to get
records sequentially (e.g. 1, 2, 3...9999999) instead each record had a unique
randomly generated token associated with it (a UUID/GUID).

So in order for someone to gain every single record they would either need to
conduct a "real" break in and steal the files, or search for every possible
criteria (which, for them, becomes a huge hassle/problem).

PS - Most DDoS are, these days, against layer 3 (network). Since it is far
harder to defeat a layer 3 attack (as it can literally crash a lot of network
hardware). While layer 7 (software) DDoS attacks still exist, they're often
conducted by less formidable adversaries and they're much easier to stop (e.g.
return a JavaScript redirect instead of the normal page, most browser-users
won't notice, but it will defeat a targeted attack until they re-target (and
you could rename it every 10 minutes)).

~~~
dredmorbius
So, here's a story I heard recently.

The person involved wanted to create a local archive of records. An index of
material was possible to obtain, but rapid sequential requests resulted in an
IP block preventing further access.

Modest levels of restructuring the requests, in random sequence, with a
significant (several minutes) delay between requests, and random delay,
eventually succeeded in retrieving the material.

If that had failed, a distributed set of requests could have been attempted.

When I've faced issues of high (to the level of service-degrading) levels of
traffic, I've found tools that allow me to aggregate requests by similar
attributes, including requests coming from a defined network space (CIDR or
ASN), which can be quite useful. Reading such patterns just from eyeball scans
of logs is pretty bloody difficult, and tools to assist in this are ... poorly
developed.

~~~
meowface
>Reading such patterns just from eyeball scans of logs is pretty bloody
difficult, and tools to assist in this are ... poorly developed.

There's some enterprise software out there designed for use cases like this,
but they're typically very expensive. There are also other issues, like the
storage requirements of full logging of request headers and bodies if you
really want to see the big picture.

Simple IP rate limiting will stop the majority of would-be scrapers/scanners
in their tracks though. Especially if there's so much material that it could
take days or weeks to finish a scrape if you had to add a random delay of 3 or
more minutes per request.

------
manifesto
A reminder: the petition [https://petitions.whitehouse.gov/petition/remove-
united-stat...](https://petitions.whitehouse.gov/petition/remove-united-
states-district-attorney-carmen-ortiz-office-overreach-case-aaron-
swartz/RQNrG1Ck) has not been responded yet, after more than one and a half
years.

~~~
neverminder
Indeed, I remember signing this back then. White House seems to be dodging
responses to certain petitions that have received enough signatures:
[http://www.washingtonpost.com/blogs/the-
switch/wp/2013/08/13...](http://www.washingtonpost.com/blogs/the-
switch/wp/2013/08/13/here-are-the-30-questions-the-white-house-doesnt-want-to-
answer/)

~~~
cheald
Has Obama's White House ever responded significantly to _any_ petition made
through that system?

It's a pressure valve designed to bleed off discontent, not an actual channel
for affecting change.

~~~
lambdapower
My favorite petition came right after a few of the early responses, titled "We
demand a vapid, condescending, meaningless, politically safe response to this
petition."

I can't find it on the petition site anymore.

~~~
McDoku
Can you really blame the guy for being politically safe? I know it sucks but
it is a war of inches.

Things change with the backing of the people. The Republicans know this well
and uses that reaction. They are fundamentally populist (whether you agree
with them or not, they have skill here).

Absolute justice gives way to a triage. Fundamentally with out that triage
nothing gets treated. It is an unfortunate reality.

It will only change, if how we work is rethought. These are the scope of the
actions available in our game. The pattern has been replicated consistently
through similar models in history.

It could very easily become robbing Peter to pay Paul.

*edit Getting downvote....sigh.... I realize it is an unpopular opinion but it is a consistent pattern for republics through out human history. Please offer me a counter example to facilitate debate if you disagree.

~~~
autokad
i disagree. for one thing, he's in his 2nd term, there is no 'war of inches'
to lose. when he has a political agenda, nothing stops him from shoving it
through no matter what. for stuff he cares two licks about but knows his
voters care about, he just retorts 'the republicans wont let me'.

~~~
McDoku
Would it not be irresponsible to poison the political landscape for the next
candidate?

~~~
JetSpiegel
I thought Nobel prize winners should be willing to make sacrifices for the
common good.

~~~
McDoku
That statement cuts both ways... If it is a choice between good and evil, the
obvious moral choice is good. It is only a moral decision when it is between
two evils.

Determining the lesser and potentially sacrificing for the common good. This
the primary responsibly of any leader responsible for strategic decision
making.

As you said, this means making sacrifices for the common good.

~~~
MCRed
No, good and evil are clear choices. Irradiating the flying public, taking
pornographic pictures or molesting children are all evil, and Obama could have
stopped that.

Domestic spying, Obama could have stopped it.

Hell closing guantanamo, he didn't even do that. And that's a straight up
operation in violation of the constitution top to bottom.

We may have the choice between two evils at election time, but no politician
is forced to choose evil.

~~~
McDoku
Okay here is an example. Enigma machine in WW2. Do you let a city get bombed
and lose 10k lives or reveal that you have broken a code and lose the war?

How do you act and why?

------
nutate
Was there ever an argument beyond 'information wants to be free' to this?
Let's say PACER docs were being pulled and hosted elsewhere. What if case
information was updated as per part of the legal process, aka person X is now
innocent. How does this change to past case documents get propagated to the
'illegal' mirror?

This is interesting because I think we do want an authoritative document store
and that, yes, we hence need to pay for its upkeep. So if he had mirrored and
hosted all of these cases, they would've been merely snapshots of past
history, not the curated corpus that PACER has.

The same could be said of scientific papers where large retractions are
handled by the journals, but may be lost by some mirrors.

Information quality, provenance and current validity is more important than
the trope of 'wanting to be free.' Once information passes into the
'historical' realm, perhaps it should/must be free, but when we are in the
malleable phase it's irresponsible to 'mirror once' without knowing how to get
pushed (or pull) updates.

Look at how the Linux kernel mirror system works, push mirroring, etc. The
scrape method doesn't pass the smell test if you really want to provide a
service beyond point in time archiving (aka archive.org).

Regarding depression, suicide and unfair persecution I'll withhold comment.

~~~
hackuser
> Was there ever an argument beyond 'information wants to be free' to this?

I can think of four: 1) The information is vital to government and to justice,
both personally (if you are party to or have a stake in the case) and as a
public affairs issue; its availability should not be restricted in any way,
and especially not restricted to those who can afford to pay. 2) In principle,
access to the courts should not discriminate based on any factor, especially
wealth. 3) The information is a product of taxpayer-funded activities and
therefore should be public and free. 4) 8 cents/page for downloaded data is
ridiculous; what if HN charged us 8 cents/page?

Does anyone know what Swartz' actual arguments were?

~~~
josaka
The strongest reason, to my mind, is that we have a common law system, so the
public can't fully and accurately comply with the law without access to the
court records upon which the common law rulings are based.

------
vajorie
How come no one even bothered to remove his full address and ssn from the
records?.. On the other hand, even the very names of people who approved and
drafted the documents are removed.

~~~
adestefan
After someone dies these are no longer protected.

~~~
saalweachter
Related question: Do the deceased have any (legal notion of a) right to
privacy?

~~~
gnaritas
Why would they? Privacy means nothing to the non-existent.

~~~
ajkjk
That's your opinion and doesn't answer the question at all.

At least for health records, you do have privacy after you die, apparently for
50 years:
[http://www.hhs.gov/ocr/privacy/hipaa/understanding/covereden...](http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/decedents.html)

~~~
gnaritas
I didn't state an opinion, I asked a question and then I stated a fact, an
indisputable one that is not opinion, perhaps you should read it again.

------
herge
Wait, were the case files for Aaron Swartz classified or just never made
public? What would be the reasoning for classifying his case? How was he a
threat to national security?

~~~
GabrielF00
I think classified is the wrong word. These are investigative documents
released after a FOIA request, but I don't see any indication that they were
ever classified.

~~~
nhstanley
Yea, unsealed or released would be better words (depending on the situation).

------
yuhong
On PACER fees, IMO a good compromise is to only charge for the actual court
documents retrieved. No charging for search results, docket listings etc, and
there is already a $3 cap on documents.

~~~
discardorama
There should be _no charge_ at all for access and retrieval. These court
documents affect our lives; they are the law of the land.

Some will say: but it costs money to provide this access!!1!!

To them: it costs money for police & fire too. Where does that come from?
That's right: taxes. So taxes should pay for the upkeep of PACER too.

~~~
RickHull
Frankly there are plenty of private organizations desperate to take over
Internet distribution of these documents, at no charge to anyone. If PACER
can't match or compete with this, then they should step aside as far as
distribution goes.

Lead, follow, or get out of the way.

------
jdong
What makes this case such a big deal? Swartz did something that was obviously
illegal and got caught.

~~~
McDoku
Because our law is made by the hands of ultimately fallible beings. We are
inevitably going to make mistakes. This is the reason we have legislative
bodies. They are a guard against our own lack of omnipotence.

~~~
jdong
Sure, but there really doesn't seem to be anything wrong with the law here.
Aaron wasn't even convicted of anything.

~~~
scarmig
The law was going to give him prison time and mark him as a felon for life for
the crime of downloading academic papers with the intent of making them
available to the public. It continued to pursue this even after JSTOR had
asked the attorneys to back down, hounding him incessantly even after informed
that he was psychologically ill.

~~~
jdong
You're ignoring the other charges he had, the prosecution offered him an
AMAZING deal. You can't just not prosecute people because they're depressed.

~~~
vdaniuk
Wow, I am extremely surprised to see such attitude from a friend of Aaron.

Amazing deal? Really? Do you think that serving 6 months or more for his
"crimes" is justice?

~~~
jdong
You probably mean 6 months or less, because that was the prosecution offer.
And yeah, I think that was actually a pretty good deal. Although I would agree
that in a perfect world the material he took would already have been public.

~~~
shiven
I think you are grossly underplaying the consequences of that plea deal. Six
months (or less) in federal prison would still have him labeled as a "convict"
and he would have lost numerous civil rights (voting being one) as a result.
Needless to say, he would have to carry that label for the rest of his days as
a US citizen. From what I understand, Aaron did not want to carry that cross,
more so since he considered himself innocent. Hence, in protest, he took his
own life. I am neither condoning nor criticizing his action and his final
decision, as I am in no position to do that. However, I strongly doubt it was
as simple or straightforward as you'd like it to appear. If you are a friend
of Aaron's and you have come out publicly (on HN) as one, perhaps you could
explain the reasoning and motivations better than most of us. Why not do that,
instead of oversimplifying the whole situation?

~~~
jdong
Aaron did what he did knowing the consequences, my best guess is that at some
point after he started regretting his decision.

This is how the world works, if you make a bad decision you'll have to live
with it... Or not.

~~~
shiven
Aaron did what he did knowing the consequences, _my best guess_ is that at
some point after he started regretting his decision.

So, your "guess" is as good as mine, or any of my fellow armchair analysts on
HN? Are you sure Aaron even considered you a _friend_?

Or perhaps, you were just trolling HN, eh?

~~~
jdong
Thing is, I'm not his shrink. I don't know everything that was going on inside
his head, that's my best guess based on my daily chats with him on IRC.

