

Andrew Auernheimer case uncomfortably similar to Aaron Swartz case - usaphp
http://yro.slashdot.org/story/13/01/23/0319214/andrew-auernheimer-case-uncomfortably-similar-to-aaron-swartz-case

======
xb95
Andrew Auernheimer, known online as "weev"
(<http://en.wikipedia.org/wiki/Weev>), is nothing like Aaron Swartz. I speak
from personal experience with weev.

Thanks to weev and his associates, my business partner, many of my volunteers,
some family members of the above, and everybody who weev and his "trolls"
could reach were subjected to a months-long campaign of constant harassement.

* One volunteer had to interview with Child Protective Services and the police because of false complaints made by weev and his friends.

* Another volunteer had trouble at her university because they tracked down her professors and made false claims.

* Our business faced several Denial of Service attacks and false complaints to our merchant processors and hosting providers.

* Harassing voicemails, phone calls, emails, IMs, IRC messages, etc etc etc.

The list of things that weev and the so-called Gay Niggers Association of
America
([http://en.wikipedia.org/wiki/Gay_Nigger_Association_of_Ameri...](http://en.wikipedia.org/wiki/Gay_Nigger_Association_of_America))
did to us is pretty long. It's sad, really.

In the end, it stopped when (I can only assume) he got bored. We developed a
strong relationship with our hosting provider, our new payment processor, and
we did as much as we could to help people who were put in bad situations
because of weev's actions. Ultimately, we lost some volunteers and bled money
for 3 months, but we survived.

So, weev has a good enough story to get his "confession" in TechCrunch and on
Twitter and people think that he's another example of the over-broad reach of
law and the destruction of young lives by powerful corporations/organizations.

Maybe it is.

But if you value the legacy of Aaron Swartz, do not for one minute confuse him
and Andrew Auernheimer. One was a man driven by a vision who helped defeat
SOPA and did many other good and noble things, the other is a self-described
troll who spent years of his life doing his best to extract "lulz" from the
pain and suffering of his fellow human beings.

~~~
jrockway
To be fair, this is not what he's on trial for. If the government wants to
bring charges that pertain to these actions, that's great.

But incrementing a number at the end of a URL should be legal even if Hitler
is doing it, plain and simple.

~~~
aw3c2
That analogy stinks and it is not as simple as you make it. It is about intent
and malicious use. Opening a door is legal too, still you can get punished if
you were not allowed to open that specific door and abused the opportunity to
take some stuff with you or violate someone's privacy.

The problem is not that "he incremented a number, get the sheriff" but "he
incremented a number to get access to information which he that maliciously
used".

~~~
josephlord
Except that he "maliciously used" the data by giving it to a journalist.
Sounds like an act of a whistleblower to me. His intent was to expose (and
embarass) AT&T and to me the fact that he didn't like AT&T and wanted to hurt
them is irrelevant.

Had he actually tried to sell the personal data OR actually shorted AT&T
shares that would be very different from my point of view and be worthy of
actual punishment but my understanding is that didn't happen. Given it didn't
happen it should be up the prosecution to prove that he wasn't joking for that
to be used as intent.

I'm a little uneasy about the idea of not prosecuting him at all though as the
flaw could have been exposed by collecting a sample of the data to see the
extent of it without collecting it all but I would be equally open to
prosecuting AT&T for not securing customer data appropriately (I would have no
problem with prosecuting both - the victims are the customers whose data was
exposed by AT&T).

------
denzil_correa
Did Andrew try to sell the data for profit? He took a sample of the output to
a journalist at Gawker and notified AT&T [0]. Why would one do that if he
wants to sell data? However, what worries me is that in the same article it is
mentioned that

    
    
         Since a member of the group tells us the script was 
         shared with third-parties prior to AT&T closing the 
         security hole, it's not known exactly whose hands the 
         exploit fell into and what those people did with the  
         names they obtained. 
    

It's pretty hard to know what really happened. I don't understand
Auernheimer's actions at all - on one hand he informs AT&T/Gawker and on the
other he sends the script to third parties. Even if his intentions were not
malicious, Auernheimer acted immaturely. The lengthy blog post he wrote
explaining his actions is no longer available and here's a cached version [1].
Some of the points directly contradict with the earlier Gawker article.

    
    
        The only person to receive the dataset was Gawker     
        journalist Ryan Tate who responsibly redacted it.
    

So, does this mean he didn't reveal the dataset but revealed the script?

[0] [http://gawker.com/5559346/apples-worst-security-
breach-11400...](http://gawker.com/5559346/apples-worst-security-
breach-114000-ipad-owners-exposed)

[1]
[http://webcache.googleusercontent.com/search?q=cache:PChrEDR...](http://webcache.googleusercontent.com/search?q=cache:PChrEDRqtCwJ:security.goatse.fr/on-
disclosure-ethics+&cd=2&hl=en&ct=clnk&gl=in)

~~~
Cushman
Just to be clear, by "script" here do we mean "Dude, check this out, you can
just change /accounts?id=12345 to /accounts?id=12346"?

~~~
denzil_correa
Good point. The question I would ask is - Should he be doing even that given
the fact he is in complete knowledge of the situation?

------
davesims
On the contrary, imo this actually highlights the gross injustice in Aaron's
case, considering the outrageous imbalance in the potential sentencing in the
two cases.

I'm assuming here that the following two press accounts are not grossly
misrepresenting the facts:

[http://www.reuters.com/article/2011/01/18/us-apple-ipad-
idUS...](http://www.reuters.com/article/2011/01/18/us-apple-ipad-
idUSTRE70H3BH20110118) [http://arstechnica.com/apple/2011/01/goatse-security-
trolls-...](http://arstechnica.com/apple/2011/01/goatse-security-trolls-were-
after-max-lols-in-att-ipad-hack/)

Here at least you have clearly stated malicious intent, which may or may not
have been serious, in jest or otherwise, but clearly the potential harm in
Andrew Auernheimer's case is real, so much so that they 'joked' about shorting
ATT stock before they released the data.

They were facing potentially only 10 years each max, compared to Aaron's 50.

To me, the disproportionate charges in the two cases is the most galling thing
and should serve to highlight how out of control the prosecutors were in the
Swartz case. 10 years may even disproportionate in Auernheimer's case as well,
but at the moment I'm quite unsympathetic given what I've read.

I say all of that fully ready for the inevitable "HN Turnaround" when more
facts and POVs are brought to bear and I change my mind on this. But at the
moment I see very little in common between two self-aggrandizing lulzing
jokers and Aaron Swartz.

~~~
AnthonyMouse
As far as I can tell, Auernheimer is indeed a spectacular idiot. But that's
kind of the problem. What he did was idiotic but still shouldn't have been
criminal. What he did was, in is essence, _pointing out_ that AT&T was
allowing people worse than he is to easily get access to this information.
Proof by demonstration, in a way that was almost entirely harmless -- no one
malicious was given access to any new information, since the actual malicious
parties could have about as easily exploited the exact same vulnerability if
these idiots had done nothing.

But here's the thing. Screw Auernheimer. Forget about him. He's a jerk, nobody
is going to be motivated to fix anything to help someone like that. He opens
his mouth and stupid comes out and it makes otherwise helpful people dislike
him.

And we need to fix the laws. For everyone. Not even these idiots deserve to be
felons. But I agree that we shouldn't be touting them as examples, because
they probably smell funny and it would be a great shame for the stench to rub
off.

~~~
rayiner
> What he did was idiotic but still shouldn't have been criminal.

The idiot kids who sneak into a factory to see what there is to see are
criminals. Should they be felons? No, but under the CFAA, simply breaching a
digital boundary is a misdemeanor. It's only when it is in the furtherance of
another criminal act that it is potentially punishable as a felony.[1]

In this case, that last bit is predicated on a NJ statute which requires:
"defendant `knowingly or recklessly discloses or causes to be disclosed any
data . . . or personal identifying information.’"

If the jury finds he didn't disclose or cause to be disclosed any personal
information, the NJ statute won't have been violated, and the CFAA charge will
reduce to a misdemeanor.

See: [http://cyb3rcrim3.blogspot.com/2012/11/unauthorized-
access-i...](http://cyb3rcrim3.blogspot.com/2012/11/unauthorized-access-
identity-theft-and_5961.html).

[1] I should point out that I'm not a fan of such "escalation" provisions.

~~~
AnthonyMouse
>The idiot kids who sneak into a factory to see what there is to see are
criminals.

I don't know if that's the right analogy. That's part of the problem: I think
legutierr is on to something with the issue that every time we talk about the
CFAA we try to come up with strained analogies, because we can't conceptualize
why the specific thing that someone did to a computer is wrong. Why is this
like sneaking into a factory and not like reading a list of their other
customers' email addresses that AT&T has mistakenly printed on the back of
everyone's billing statement?

I still think the whole notion of "unauthorized access" is the wrong way to
go. If someone breaks into your computer and intentionally deletes your data,
vandalism. If they take credit card numbers and use or sell them, identity
theft. So on and so forth. If all they do is fiddle with a URL or prove to you
that your security is not what you thought it was without damaging anything or
committing any _other_ crime, why does that have to be a crime in itself? It
seems like all that does is chill the propensity for security experts to point
out vulnerabilities when they see them, for fear that embarrassing the
system's operator will result in retaliatory pressing of charges, and give
prosecutors a catch all to charge people with when they can't make a case
based on anything else.

This is almost a case in point. These defendants are royal jerks. They're
sitting around contemplating everything from blackmail to securities fraud,
but in this specific case it doesn't seem like they've actually done anything
like that, just talked about it like pompous idiots. So they get charged with
the CFAA, because it catches almost everybody whether they've really done
anything or not, even though from what I can tell all they actually did was
publicize that AT&T's poor security was putting AT&T's customers' personal
information at risk. I don't know how convinced I am that the fact that they
did it in a stupid and immature way should send them to jail.

~~~
rayiner
> Why is this like sneaking into a factory and not like reading a list of
> their other customers' email addresses that AT&T has mistakenly printed on
> the back of everyone's billing statement?

Because it requires intentional effort to find information that is intended to
be private. It requires you to "walk through the door." The digital equivalent
of your scenario is if AT&T accidentally e-mailed their customer list to
everyone along with their e-bills.

> I still think the whole notion of "unauthorized access" is the wrong way to
> go. If someone breaks into your computer and intentionally deletes your
> data, vandalism. If they take credit card numbers and use or sell them,
> identity theft. So on and so forth. If all they do is fiddle with a URL or
> prove to you that your security is not what you thought it was without
> damaging anything or committing any other crime, why does that have to be a
> crime in itself?

I disagree. I don't think the digital world should be treated any differently
than the real world. In the real world, we enforce boundaries in their own
right, with minimal penalties unless it is accompanied by another crime. We do
so to discourage people from poking around where they shouldn't, because such
poking around is highly correlated with actual crime. Allowing people to poke
around freely makes enforcement hard. Everyone who actually did something
wrong is going to claim "oh I was just poking around." This rationale
translates just fine into the digital world.

> It seems like all that does is chill the propensity for security experts to
> point out vulnerabilities when they see them

Why can't security researchers get consent from their subjects to do
experiments on them, like every other kind of researcher? Should my doctor be
allowed to test his pet theories on me while treating unrelated conditions, on
a "no harm no foul" basis?

~~~
AnthonyMouse
>Because it requires intentional effort to find information that is intended
to be private. It requires you to "walk through the door."

There is no door though. The digital equivalent of your scenario is _Tron_.

An intentionally publicly accessible computer doesn't have well-defined
boundaries. The line between authorized and unauthorized is very fuzzy, which
is not a good feature in criminal law. Especially where defendants are
characteristically individuals without the resources to defend their
interpretation of the law in court.

>We do so to discourage people from poking around where they shouldn't,
because such poking around is highly correlated with actual crime.

That seems like a self-fulfilling prophecy. If you criminalize poking around
then only criminals will poke around. There are also much better reasons for
prohibiting it in physical space than on the internet. Industrial equipment
can be dangerous and cause massive property damage or personal injury if you
mess with it. Invading someone's home impacts their physical security. These
are rarely if ever the case with computers. Servers are (or should be) backed
up, so even where there is highly valuable data, the extent of destruction
someone can accidentally cause is limited to the cost of restoring backups,
and reckless or intentional damage would continue to be illegal.

Harmless poking around also has the benefit of revealing vulnerabilities
before they get revealed through malicious poking around. A kid who sneaks
through your literal open window and starts nosing around in your house is not
pointing out a critical security vulnerability; you know that your window is
open. There is no benefit to the homeowner, the kid is just a pest. But
computers have higher security requirements: The equivalent of an open window
is a major failing in need of immediate attention, because if a kid can get in
then so can foreign criminal syndicates, and if they get in they'll be doing
more than poking around.

>Allowing people to poke around freely makes enforcement hard. Everyone who
actually did something wrong is going to claim "oh I was just poking around."

Won't the fact that they actually did something wrong give lie to that claim?
The ones who are actually doing something wrong will be found making charges
to purloined credit card numbers or modifying shipping information in
databases or the like. I suppose you may catch someone in the act before they
have an opportunity to do any such thing, but if you have someone who is
really trying to do wrong, isn't it better to extend the investigation so as
to be able to charge them with the serious crime they actually intended than
to roll them up right away on a minor offense?

>Why can't security researchers get consent from their subjects to do
experiments on them, like every other kind of researcher?

Discovering vulnerabilities in production servers is not really research, it's
more like being a plumber or a firefighter. There may be professionals who are
paid to do it, but if you see water leaking or smell smoke, taking a moment to
do some cursory looking around to see if there is a serious underlying problem
should be just part of being a good citizen.

As for asking permission, the trouble is that the transaction cost consumes
the transaction. If someone goes to a website and notices that the URL has a
'userid=1157' appended to it, the natural thing to do is to try putting in
'userid=1158' and see what happens, because the two most overwhelmingly likely
things are either for it to produce an access denied error and be harmless, or
to log you in as a different user and be harmless as long as you don't further
abuse that fact. And 99 times out of 100 it will be the first one. Which is
why requiring permission breaks the propensity for good people to help out: If
the expectation is for people to ask permission before doing something like
that, the website operator is going to have anyone who notices that asking
about it, and if it _isn't_ broken then it gets annoying, which annoyance is
conveyed to the people asking about it so that in the future they stop asking
and stop helping. Which is I think what we see: Security people mostly don't
poke websites because the law prohibits it, so security flaws don't get
identified until the bad guys identify them.

I would also distinguish this from doing something like SQL injection or
exploiting a buffer overflow, which can reasonably be expected to cause a
denial of service or data corruption. In those cases there could be a charge
for something like reckless disregard for damaging a computer system as
opposed to purely for unauthorized access.

~~~
anigbrowl
_Especially where defendants are characteristically individuals without the
resources to defend their interpretation of the law in court._

Not true. Just because you may have to rely on a public defender doesn't mean
your legal theory would have legs with a better lawyer.

 _A kid who sneaks through your literal open window and starts nosing around
in your house is not pointing out a critical security vulnerability; you know
that your window is open. There is no benefit to the homeowner, the kid is
just a pest. But computers have higher security requirements: The equivalent
of an open window is a major failing in need of immediate attention, because
if a kid can get in then so can foreign criminal syndicates, and if they get
in they'll be doing more than poking around._

That's true as a pragmatic matter, but it is not your decision to make about
other people's systems. I can think of cases where an open window is a
critical security vulnerability; kids can fall out of them, medical or legal
papers may be accessible to third parties and put the subject of those papers
in jeopardy and so on. But that doesn't entitle me to climb through the window
in order to demonstrate or draw the homeowner's or business operator's
attention to the risks of the open window.

While it's quite true that AT&T was doing its customers a disservice here, and
I have no problem with people observing and commenting upon that fact, it's
their computer system, not yours. You don't have a right to poke around there
just because you have the know-how to build/operate a more secure system. I
doubt you would appreciate a private security company representative turning
up in your living room to harangue you about your open window. You would
rightly tell him that a) it's not his business and b) if he wants to help,
ring the fucking doorbell first, rather than publishing an directory of what's
inside your house.

------
dubfan
Even if they are similar cases (an assessment I disagree with), I doubt
Auernheimer will get nearly as much sympathy among the hacker community given
his history of trolling and malicious behavior, compared to Swartz's history
of creative and constructive actions.

~~~
filmgirlcw
Exactly. This guy was very publicly trying to either blackmail or sell the
data. As someone who had an iPad 3G and was alerted my info was stolen, I was
pissed at the future spam I knew I'd end up getting out of the whole thing.

Weev is a troll. That's not a judgment, that's fact. His antics weren't about
liberating data or making a bigger statement, it was about embarrassing a
company. He did it for the lulz.

The law might not see these as different cases (though like you, I know I do),
but public opinion certainly will.

To be totally honest, I'm sort of disgusted that he's using Aaron's suicide as
fodder to try to gain sympathy or sentiment ahead of his sentencing.

~~~
neilk
Trolling is not illegal. Embarrassing a company is not illegal. Talking or
joking about blackmailing a company on IRC is not illegal. Taking a security
exploit first to a journalist, rather than the parties involved, is not
illegal.

I am not a lawyer, but as I understand it, the crime that weev is being
charged with is literally that he accessed certain publicly available URLs.
For this, he is being charged with "accessing a computer without
authorization" and fraud.

As for Aaron versus weev: our dedication to a principle is tested when it
protects people that we don't like.

~~~
rayiner
Crime = intent + action. Doing two otherwise legal things may amount to a
crime. For example, it is not illegal to talk about killing your ex-wife. It
is also not illegal to walk to her house with a chainsaw. Both those things
are by themselves quite legal. But combine the two, and you can quite fairly
be charged for attempted murder.

~~~
rsingel
He never contacted AT&T. There was no talk of blackmail. He embarrassed the
company.

The alleged crime was identity theft. The people he was accused of stealing
the identity of were journalists whose emails and UCC-IDs were pulled out of
the data in order to email it to them to get their attention.

It's a bullshit prosecution and I'm flabbergasted that people on this board 1)
can't bother to dig up the facts and 2) support the feds prosecuting yet
another hacker who didn't do shit.

<https://www.documentcloud.org/documents/522213-auren.html>

~~~
tptacek
The ID theft charge is obviously bullshit. Of course, the ID theft helps
enable the CFAA charge.

------
mcantelon
The knee jerk force is strong... just as HN excused itself from supporting
Aaron because he was financially successful (he should "man up" and pay his
own legal costs, etc.), weev's trolling serves as another excuse to withhold
support.

~~~
1337biz
I absolutely agree with this point. There seems to be an ongoing pandering for
some individual characteristics that made it somewhat okay to put someone in
prison on ridiculous charges. Sure, Auenheimer is no saint, but these 'but he
made babies cry' stories are just trying to distract from the real issue at
hand.

------
mcantelon
I thought what had happened was they used his (pretty benign) hacking to
justify a raid on his place then nailed him on drug charges? Or did they also
pin hacking charges on his as well?

<http://news.cnet.com/8301-27080_3-20007827-245.html>

~~~
rdl
They dropped all the local drug charges and stuck to federal hacking charges.

Fayetteville, AR is a very poor/bad place and I think someone with a trivial
amount of drugs, who is also a supreme internet troll, is not someone they'd
want to prosecute locally.

~~~
joe_bleau
Ever been there? Fayetteville is a nice little college town and part of the
booming northwest corner of the state. It's certainly not very poor.

~~~
rdl
Ah, no, you are right. I was generalizing from "Arkansas and not Bentonville",
but I didn't realize how close it was. (I think this was based on an IRC
discussion a few years before weev's arrest when people were wondering wtf
everyone was moving to Fayetteville).

Although court funding is state level, so Arkansas being poor overall would
increase the desire to push stuff up to the feds. And I think states always do
that anyway.

------
Anechoic
HN Discussion from yesterday: <http://news.ycombinator.com/item?id=5095634>

