
This hacker might seem shady, but throwing him in jail is bad for everyone - Fourplealis
http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/23/this-hacker-might-seem-shady-but-throwing-him-in-jail-is-bad-for-everyone/
======
msandford
If you visit and internet cafe and someone's forgotten to log out of their
bank account and you fiddle with it, that's probably a crime. Since in nearly
all cases they probably didn't intend to do such a thing. We can surmise this
by observing the banking website had a password to protect the account holder.
This is evident by virtue of the "log out" link that's clearly visible and
that the website is served over HTTPS and the normal convention that banking
information is private.

Now imagine that you come upon a computer and that you click on one of the
favorites. It's a banking website. No password, no HTTPS, no access controls
at all. Who is responsible for the security breach? You or the bank?

I would argue that if there are no technological access controls in place,
there is no such thing as "unauthorized access" You can't be unauthorized if
there is no authorization. The default on the internet is "can access"

They're prosecuting him for the digital equivalent of walking down a street
and taking pictures of houses which don't display numbers on their mailbox.

~~~
derleth
> I would argue that if there are no technological access controls in place,
> there is no such thing as "unauthorized access" You can't be unauthorized if
> there is no authorization. The default on the internet is "can access"

Or is it like walking into someone's private home because they left the door
open? Or merely unlocked?

The law likes to operate on analogies, because analogous situations are ones
for which we have precedent, and precedent makes the law predictable. The sad
thing is, precedent goes back to the pre-computer era, too, and isn't
necessarily overturned just because new technology with new social
expectations is involved. Maybe in a couple generations.

~~~
cortesoft
I don't think it is like walking into a private home because the door is
unlocked... this is more like someone walking into a store, looking around,
and then getting in trouble for looking at a specific display shelf that was
in the back corner. The shelf wasn't labeled as off limits, you just were
wondering around where you were supposed to and happen to see it. The store
can't get mad and say "well yeah, but we put it in the back corner where most
people don't go... and we put sensitive stuff back there! How dare you look at
it!"

Well it was right in the same store you invited me in to! There was no sign or
lock or anything saying not to look at the shelf.

This was a PUBLIC website... you are supposed to be able to visit it. If you
make a request to a server without providing authentication and it returns
data, that is not your fault. That is what you are SUPPOSED to do to servers.
If it asks for authentication and tells you you are unauthorized, but you
brute force the password or find an exploit, then THAT is a crime. There was
not authentication in this case.

~~~
res0nat0r
>This was a PUBLIC website... you are supposed to be able to visit it. If you
make a request to a server without providing authentication and it returns
data, that is not your fault. That is what you are SUPPOSED to do to servers.
If it asks for authentication and tells you you are unauthorized, but you
brute force the password or find an exploit, then THAT is a crime. There was
not authentication in this case.

Unfortunately none of these excuses are valid. He knew he was accessing
something he shouldn't have been. If he did it once or twice and stopped that
is one thing, intent is a major part of the law, and he intended to exploit
something he knew he should not have been. That is why he is being found
guilty.

~~~
msandford
If I find a $50 bill on a sidewalk I can INTEND to steal it as much as I want.
But no matter how badly I WANT to steal it I cannot because at that point it's
not a thing that can be stolen. There is no way to trace it back to it's
former owner and as such, the first person to find it is legitimately the new
owner.

Weev might have said that he "stole" the information or that he "intented" to
perform an unauthorized access but ultimately that doesn't matter. There was
no access control to prevent the internet's default of "everything is visible"
so that's precisely what happened. It's not a hack no matter how badly he or
the government want it to be. Intent matters not one iota.

~~~
res0nat0r
Of course intent matters. If I run over someone with my car and kill them and
it was deemed just a terrible but unfortunate accident, that is 100% different
than if I drove over them because I _intended_ to run them down and kill them.

The same applies to this case. He intended to access something he knew he
shouldn't have had access to. Thus why he is guilty.

~~~
legutierr
Yes, but in your example (where someone is killed) there is rather obviously
an underlying act that may or may not be criminal depending on the intent.
There are infinitely many acts that cannot be considered crimes regardless of
how malicious the intent behind them may be.

Furthermore, just because someone feels that they have done something wrong
does not make what they have done a crime. The law also must consider that
action to have been illegal.

Hopefully, the appeals court will determine that accessing a public
unrestricted URL cannot be considered illegal, regardless of the mindset of
the person who might choose to access it.

------
austenallred
Reading this article [http://www.theverge.com/2013/9/12/4693710/the-end-of-
kindnes...](http://www.theverge.com/2013/9/12/4693710/the-end-of-kindness-
weev-and-the-cult-of-the-angry-young-man) makes me feel not too terrible that
he's being thrown in jail.

~~~
sneak
Weev's a right shithead, you're absolutely right.

I still bailed him out of jail for the time leading up to and during his
trial. Why? Because UNPOPULAR SPEECH SHOULD NEVER BE CRIMINAL, no matter how
revolting. Indeed, it is the unpopular and revolting stuff that needs the most
defending:

"The trouble with fighting for human freedom is that one spends most of one's
time defending scoundrels. For it is against scoundrels that oppressive laws
are first aimed, and oppression must be stopped at the beginning if it is to
be stopped at all." —H.L. Mencken

~~~
PhasmaFelis
By "unpopular speech", do you mean the AT&T bit, or the harassment bit? If the
latter, I disagree. A free and fair society can certainly draw a line between
"unpopular speech" and "criminal harassment."

If I were to threaten to murder you, you wouldn't expect the police to say
"Eh, nothing we can do, he's got a right to free speech. Call us back after he
shoots you, you'll have a case then."

~~~
jrockway
_If I were to threaten to murder you, you wouldn 't expect the police to say
"Eh, nothing we can do, he's got a right to free speech. Call us back after he
shoots you, you'll have a case then."_

This is the problem with thought experiments regarding crime: they always make
the facts 100% certain, when in real life, the facts are never 100% certain.
If we were to rephrase your thought experiment, it would be:

"Some guy said some other guy was going to kill him. Let's throw that some
other guy in prison for a while, just in case."

Not quite as clear-cut as you think, is it?

~~~
PhasmaFelis
_" Not quite as clear-cut as you think, is it?"_

Weev did literally threaten to murder Kathy Sierra, and he then bragged about
doing so on multiple public websites. So, yes, it is quite clear-cut.

(And, please, at least think for a minute before you try to rebut by saying
that he didn't _mean_ it, so it shouldn't count.)

~~~
jrockway
Were you at the keyboard when he was typing this message?

~~~
PhasmaFelis
Why, you're right. I don't know for sure that the NSA didn't fake dozens of
threatening emails from Weev, and several forum posts, and then used mind-
control satellites to keep him from posting that it wasn't him or telling any
of his meatspace friends that it wasn't him, and then used mind-control
satellites again to make him brag in person to that reporter. Oooh, or maybe
they used mind-control satellites on the _reporter_ to make him slander Weev's
good name, and MCS once more to keep all the people in the article from
revealing the truth!

Give it up, man. The guy whose image you're trying to clean prefers it nice
and dirty.

------
nonce42
It's worth reading the criminal complaint and indictment
([https://www.eff.org/cases/us-v-auernheimer](https://www.eff.org/cases/us-v-
auernheimer)) to get some background. In particular: the discussions of using
the email addresses for a phishing scheme, using them for spam, shorting AT&T
stock and profiting off the data release, setting up WiFi routers so they can
blame it on a third party, discussing how this was a federal crime, and how to
spin themselves as a legitimate security organization. These things make it
really hard to view weev as a genuine security researcher who was prosecuted
for no good reason.

~~~
lawnchair_larry
It's not worth reading that, because it's taken completely out of context. As
badly as it's taken out of context, you're actually taking it even more out of
context in your comment here. Weev actually said that shorting stock would be
illegal, and said something to the effect of "if you do it, I don't want to
know about it" and discouraged many other "suggestions" from people who didn't
appear to have any real part in it, but were cheerleading.

In any case, that is very typical IRC conversation for a large portion of that
subculture. They joked about doing these things, but they didn't actually take
steps to do them. He considers himself a satirist, so it's not much different
than some comedians talking nonsense over beers and having it show up in an
indictment.

One of the chatters observing said they should post the list to full-
disclosure. Weev replied saying "no, don't do that, its potentially criminal."
He then talked about how he gets to spin it in the media and he's won. That
says pretty clearly that he was only out to make a scene, which is what he has
always done.

------
biot
Everyone throws out analogies about walking into unlocked houses and such.
Those are fairly poor analogies, so let me offer one which I think is far
better at conveying what really happens.

Imagine you walked into a public library and struck up a conversation with the
librarian:

    
    
            You: Can you tell me general information about this library?
      Librarian: Certainly, this library was built in 1990, has a million
                 books on its shelves, and...
            You: What are the hours?
      Librarian: Monday to Saturday, 10AM to 8PM. Sunday, 10AM to 5PM.
            You: Frothy bacon generates utilitarian synapses!
      Librarian: I'm sorry, that's not really a proper question I can help
                 you with.
            You: Can I borrow book identified by ISBN 4961357406830?
      Librarian: Sure, here you go.
            You: Can I borrow book identified by ISBN 6498794651315?
      Librarian: Sure, here you go.
            You: Can I borrow book identified by ISBN 9840546790354?
      Librarian: Sure, here you go.
            You: Can I borrow book identified by ISBN 3168706780943?
      Librarian: Sure, here you go.
            You: Can I borrow book identified by ISBN 7893781056145?
      Librarian: Sure, here you go.
            You: Can I borrow book identified by ISBN 2764894617987?
      Librarian: Sure, here you go.
            You: Can I borrow book identified by ISBN 9764660911970?
      Librarian: Sure, here you go.
            You: Can I borrow book identified by ISBN 6666666666666?
      Librarian: Sorry, that book doesn't exist.
            You: Can I borrow book identified by ISBN 8669177714641?
      Librarian: Sorry, you've been requesting too many books lately.
            You: Can you let me into the Staff lounge?
      Librarian: Sorry, you'll need to show me your staff credentials when
                 asking.
            You: Can you provide me with a list of all employees and their
                 salaries?
      Librarian: Sorry, you are not allowed to have that information.
            You: Can I use the general conference room on the third floor?
      Librarian: Actually, that was moved. It's now on the second floor.
    

As you can no doubt see, these translate directly into HTTP requests:

    
    
      GET /
      200 OK - This library was built in 1990, has a million books...
      GET /hours
      200 OK - Monday to Saturday, 10AM to 8PM. Sunday, 10AM to 5PM.
      POST /frothy-bacon-generates-utilitarian-synapses
      400 BAD REQUEST
      GET /books/4961357406830
      200 OK - [contents]
      GET /books/6498794651315
      200 OK - [contents]
      GET /books/9840546790354
      200 OK - [contents]
      GET /books/3168706780943
      200 OK - [contents]
      GET /books/7893781056145
      200 OK - [contents]
      GET /books/2764894617987
      200 OK - [contents]
      GET /books/9764660911970
      200 OK - [contents]
      GET /books/6666666666666
      404 NOT FOUND
      GET /books/8669177714641
      429 TOO MANY REQUESTS
      GET /admin
      401 UNAUTHORIZED
      GET /employees/salaries
      403 FORBIDDEN
      GET /floor/3/conference
      301 MOVED; Location: /floor/2/conference
    

In both cases, we have a gatekeeper (librarian / web server) which is capable
of responding to requests, can authorize various requests, can require
credentials for sensitive requests, can limit the rate at which requests come
in, can deny requests altogether, and can identify when requests for certain
things have moved to new locations.

The librarian is smart enough to not hand out things like access to the staff
lounge, a list of employees and their salaries, or even things like an
arbitrary library member's borrowing history. The web server has been
configured to not hand out things like admin access or other things which are
deemed sensitive, but the owners of the web server have taken the position
"Well, nobody's going to be guessing ISBN numbers, so we'll let anybody on the
internet request the contents of those books."

When is the onus on the web server owner to configure their security properly?
When is a "200 OK" response actually not okay? This is the "mind reader"
aspect the article mentions.

~~~
skwirl
Really, you are going to give people crap for bad analogies, and then try to
compare the actions of a conscious human being to an automated computer
system?

~~~
msandford
An automated computer system can only do what it's told. It perfectly carries
out the instructions it is given. A human being can really screw everything up
using their judgement and coming to the wrong conclusion.

The problem here is that AT&T employed a human being to design an automated
system who didn't know enough about the automated system to ensure that it was
correct. And then this automated system did exactly what it was told to do and
made AT&T look bad.

But the fact that the code running on the webserver didn't reflect the intent
of some AT&T exec or their company policy isn't the fault of those accessing
the webserver. It's AT&T's fault for doing a really terrible job of QA/QC on
their own systems prior to a really big launch.

~~~
skwirl
The bad analogy can be extended to mechanical devices, such as a lock. The
lock is also an automated system, and it is a system that will also perfectly
do what it is told with even higher fidelity than a computer due to its
relative simplicity.

I with my lockpick tell pin 1 to move up so many millimeters, I tell pin 2 to
move up so many millimeters, and so on, and suddenly the lock opens. Suddenly
I'm in, and it should be legal because the lock wasn't designed as well as it
could have been and because all I did was follow a legal protocol with the
lock.

Bad analogies like this are so common here when discussing technology issues,
and it is a never ending irritating game of come up with the least-worst (but
still bad) analogy. People here also often confuse their understanding of
technology with legal/ethical sagacity, which is laughable.

------
usaphp
Here is my analogy:

1\. You just finished your workout and went to a locker room at your gym (he
went to a public website)

2\. You opened up your own locker and took your stuff from it (checked his
account)

3\. You found out that very few people are using locks in the gym locker room
(figured the account id in url )

4\. You know that it is not your belongings in other people lockers, but they
are not locked just because people are just lazy or don't want to spend money
on the lock (he knew that those accounts do not belong to him, and were
accidentally not locked by by at&t)

5\. You decided if those lockers are not locked - that means that clothes
inside of those lockers are public property and you can easily borrow them
(tried to browser to other urls and get private account info)

6\. You go ahead and try opening every single locker in a room and put all the
belongings you find in opened lockers on ebay to make profit and sell it,
BEFORE letting know the owners or the gym that those belongings are not
locked. (sold private data to somebody)

I think thats not legal behavior, as long as you understand that the property
you are taking is not yours - you are making a crime by taking it (stealing)

~~~
andrewaylett
How about replacing step three with "You notice that all the lockers have
glass tops" and following that with a story about taking photographs?

~~~
victorf
Why would we want an analogy that more accurately reflects the reality of the
situation? We're trying to justify this, not let him out on appeal.

------
darklajid
I know this is not a position people over here like to support, but..

    
    
      But this technique, known as "scraping," is surprisingly common among
      technologically sophisticated users and has a number of legitimate
      applications.
    
      To get a list of sex offenders, Poulsen wrote an automated program to search the
      Department of Justice Web site for each zip code
      in the United States and then save the name and
      address of each registered sex offender in that
      zip code to a file.
    

Really? Really? That's a 'legitimate application'? Nevermind that the pure
existence of that registry is a slap in the face for people with my
understanding of Freedom and Liberty (in caps), scraping _that list_ is why we
want to protect scraping? I haven't felt that disconnected to content on this
site for a long time.

    
    
      Yet most people would agree that Poulsen's actions
      were a legitimate journalistic project. So we might
      want to be careful about subjecting this kind of
      technique to criminal penalties.
    

Most people?? In what world?

I'm sorry for the detour, but the whole article is trying to defend weev while
linking to atrocious actions of that guy in the past and coming up with the
most despicable (Thanks Hollywood, learned a new term) reason for scraping
_ever_. Disgusting.

------
PhasmaFelis
So does anyone know why exactly they weren't able to get Weev on criminal
harassment? I wouldn't expect the gummint to fail to bring the charge unless
they thought there was no hope of victory, but it seems like such a gimme.

~~~
bcoates
I'm not sure there is any relevant law. At the federal level it appears to
require "obscenity" which is very hard to prove for anything short of child
pornography.

~~~
PhasmaFelis
IIRC, he photoshopped pictures of Kathy Sierra's kids into porn and posted
them online, and emailed her graphic threats to rape her with a chainsaw, . It
doesn't seem like you'd have a hard time convincing a jury of "obscenity".

------
JanneVee
It is annoying when people throw analogies around describe it to a highly
technical audience. When is hacker news going to discuss the fact that User-
Agent in the http header is not a security feature? When is the discussion
that sequential id is equivalent to no security?

No analogy in the world is going to change the fact that User-Agent checking
and sequential id:s are not security features. And if courts are allowed to
make them security features it is bad news for everyones security.

------
ajays
/u/biot's analogy is apt. But I don't understand why it isn't a defence that
the HTTP protocol starts with a _REQUEST_ . The server is the one who actually
serves up the information.

If I _request_ something from you ("hey, can I borrow your car?"), and you
give it to me, then what's the problem here?

------
gwu78
Kudos to the WP for ongoing coverage of this case. There are important issues
being litigated here that could affect everyone, and I'd argue they are worth
discussing without regard to this particular defendant and the sheer stupidity
of his actions.

However, I find WP's use of Poulson's activities as an example of "legitimate"
automated HTML retrieval ("scraping") to be an odd one. It seems an awkward a
comparison to convey what should be a simple point, in my opinion.

How about something much more common? Googlebot. Imagine if we forbade Google
from using automation and from scraping content and placing it in the Google
cache. No more web search.

Alas, because of the ad hoc nature of the Web (i.e., there is no unifiying
organizational scheme for locating content across all websites as there would
be in, say, locating content in a library of books), you cannot access Web
content until you first discover it. In order to discover content, you
generally have to search. In order to create an index and cache of content to
search, someone has to scan/crawl/scrape websites. The later three are
activities that are routinely automated. As such, they will violate many
website Terms of Service and may get you banned simply for being "automated".

In fact, to use Google as an example (not picking on them per se, it's just
that they are a well-known example), crawling Google will "get you banned"
from using Google, temporarily.

The irony of this has always intrigued me: Google may crawl your servers, but
under Google's policies, you may not crawl Google's servers.

If I create an index of your website, at your expense (by aggressively running
automated queries against your http server, as Google does, for example), am I
obligated to share it with you?

In any event, attempts to criminalize automation should raise red flags with
anyone who is even slightly tech savvy.

~~~
jebblue
>> The irony of this has always intrigued me: Google may crawl your servers,
but under Google's policies, you may not crawl Google's servers.

It looks like some of their site can be crawled and some not, that's how
robots.txt has worked for a long time:

[http://www.google.com/robots.txt](http://www.google.com/robots.txt)

~~~
gwu78
And search results (the data they have obtained via crawling others' sites) is
not among the data that can be crawled.

What are you suggesting?

------
mangoman
I love the use of analogy to describe the situation to those who may not
understand exactly what Weev did. But can we decide law simply on analogy?
Which analogy is a more accurate tale of what Weev did? What I like about this
article is it explains what Weev did and how incredibly common his techniques
were, without too much analogy. Analogies may be much more effective, but a
direct explanation feels a lot more genuine.

~~~
mylorse
How about mines?:
[https://news.ycombinator.com/item?id=6435769](https://news.ycombinator.com/item?id=6435769)

You are welcome to critique, not harass⸮:

------
mabhatter
government always prefers "shoot the messenger" to actual security. There
should be literally be nothing illegal about what he did in that case. he
didn't "hack" anything except HIS computer to pretend to be an iPad. And that
would be the point of identifying it as a security concern. After all, if he
had figured it out, surely the Russians and Chinese figured it out between
when he did it and they prosecuted him... it doesn't make the hole go away!!!

What he did is like sticking a GM car key into a Toyota. Generally that
doesn't work, it shouldn't work... but what if it does anyway? shouldn't the
company that makes the cars fix that?

------
hawleyal
The information was public. He did nothing wrong.

It is similar to accidentally posting all those email addresses on a bulletin
board on the street and hoping no one reads them.

------
3327
he is a hacker? He must be doing computer sorcery - off with his head.

