
Security Researchers tell court: We do what Andrew Auernheimer did - walid
http://www.groklaw.net/article.php?story=20130710170719460
======
casca
This is really important to those of us in the infosec industry. A criminal
sentence for changing a parameter in a GET tag is not appropriate. I wonder
whether blocking tracking cookies could also be considered unauthorized
modification.

Unfortunately there's huge incentive for companies with a public reputation to
make this sound like the work of evil hackers rather than their own
unwillingness to perform basic security protection on their public-facing
services. Money on lawyers and PR are only spent when there's a known threat
whereas preventative security is successful when nothing happens.

~~~
tptacek
No, because CFAA isn't a strict liability crime and the prosecution is
required to prove intent.

~~~
pyre
Changing from:

    
    
      https://payroll.example.com/SSN=000-00-0000
    

to:

    
    
      https://payroll.example.com/SSN=000-00-0001
    

shows intent to gain access that you were obviously not authorized for, even
if you immediately report what you find.

Wasn't it ruled that accessing stuff that you aren't authorized to that is
publicly (within a company) accessible to all on a shared drive violates the
CFAA because you are exceeding your authorization?

~~~
tptacek
I was referring the "wondering if blocking tracking cookies" question. I don't
have a problem with criminalizing attempts to pull up random people by their
SSN.

~~~
pyre

      > I don't have a problem with criminalizing
      > attempts to pull up random people by their
      > SSN.
    

If I see that the URL contains my SSN, and want to investigate if they were
stupid enough to have this as a security hole, what are my options?

You seem to say that if I pull up the page of someone else, I am immediately a
criminal and need to go to jail.

Should I instead report the possible issue to the company? Will they actually
take, "I see that SSN is in the URL and that might be security hole, but I
don't know for sure because I haven't attempted to try it," seriously?
Hopefully they would, but I find that hope to be way more optimistic than the
'real world' should get credit for.

~~~
ceol
You don't get to break into a bank because you want to see if you can exploit
a security hole.

What you're talking about is more akin to wiggling the bank's door handle and
then leaving. What weev did is break in, steal a bunch of documents, and then
talk about selling them.

~~~
sneak
"Breaking in" suggests that there is access control (locks, doors, walls, etc)
in place.

ATT admitted in court to publishing this data on the web. Emitting email
addresses in response to ICCIDs was a specific feature they explicitly
implemented to reduce the number of steps required to resubscribe to service,
not a "security hole".

Your physical analogy is inappropriate, and serves to frame his actions as
criminal when they are clearly not.

Please read the brief.

~~~
ceol
_> "Breaking in" suggests that there is access control (locks, doors, walls,
etc) in place._

No, it doesn't. See, this is what happens when you start talking about crimes
on the internet when you really shouldn't be. If I leave all my doors and
windows opened, or if I put a box of valuables in the middle of an empty lot
that I own, it doesn't suddenly make it legal for people to steal from me.

AT&T leaving their doors and windows open does not suddenly authorize any ol'
grody troll to walk in and take personal information.

Whether you like it or not, his crime will be made into a physical analogy.

~~~
bigiain
I _mostly_ agree with you.

How about _this_ analogy?

AT&T left a box of valuables in the middle of a lot they own, and weev walked
by and grabbed them. Problem is, they weren't AT&T's valuables, they were mine
and yours and 100,000 other peoples who'd entrusted AT&T with them.

Now who's "the bad guy"? Who's the more culpable "criminal"? WHo would we be
holding to account if it were a bank who'd piled up the cash from 100,000
people's savings accounts into a building with all its doors and windows open?

Sure, what weev did was wrong. I don't think it was the _only_ wrong done
here, or possibly even the "worst" wrong.

~~~
ceol
I think that's fair. AT&T should be reprimanded for a serious lack of security
— how much they should be reprimanded would be another topic for debate.

But it doesn't take away from weev's crime (both this one and his previous
harassments.)

~~~
walid
Sorry for your distorted reality. You're saying that everyone who accesses
unsecured information on a badly secured server gets reprimanded. You're
placing the onus of security on the user which makes your point pure BS.

------
PhasmaFelis
I kind of got the impression that Weev getting sent up for identity fraud was
a lot like Al Capone getting it for tax evasion. Which is to say, he was a
sadistic monster of a troll who delighted in ruining people's lives, but he
was cunning enough to never quite cross the criminal-harassment line with
anyone brave enough to press charges, so they got him on this instead.

It's a rotten precedent, and I can't really blame anyone for opposing it on
principle, but let's do remember that Weev himself is not any kind of hero.

~~~
eridius
Also don't forget that Weev was considering selling the info he got, before he
decided to be lazy and just tell the world. So not only is he a massive troll,
but his motives for the "hack" were also less than saintly.

~~~
sneak
You can, in fact, forget that. We should judge people to be criminals or not
based on their actions, not their daydreams.

Also, how is it lazy to create a media shitstorm and get your house raided
versus making some free money quickly and quietly? Are you really trying to
frame his turning down free money as the MORE disdainful choice?!

~~~
ceol
It is in fact illegal to "daydream" (i.e. make solid plans) about doing
certain crimes:
[https://en.wikipedia.org/wiki/Conspiracy_(crime)](https://en.wikipedia.org/wiki/Conspiracy_\(crime\))

~~~
moocowduckquack
To try and define the term "daydream" as being equivalent to "make solid
plans" so that you can equate daydreaming with criminal conspiracy is some of
the most tortuous logic I have seen in a while. Have you ever thought of a job
as a government press secretary? You'd fit right in.

~~~
ceol
Trying to define "talking to your friends about how you're going to sell
stolen information" as being equivalent to "daydream" is the tortuous logic I
was responding to. Please read the _entire_ thread and not just comments you
don't agree with.

~~~
moocowduckquack
I did read the whole thread and I just read the published transcripts.

He does not say that he is going to sell stolen information.

He does remark on irc that the information is valuable and could be sold or
used for a phishing operation, but that is an observation of reality, and can
not be taken as a statement of intent without some other evidence showing that
he was likely to pursue that course of action, and given that he then handed
the list to gawker it would seem that this was not his intent, though the
possibility had obviously crossed his mind.

To consider the possibility of indulging in criminal behaviour is not the same
as planning to do so.

------
throwawaykf02
> We do what Andrew Auernheimer did.

You mean, exploit a weak access control scheme, fail to disclose the exploit
properly, instead use it to download private data in bulk, make unwise brags
to reporters about potentially misusing that data, and then be dicks to the
judge?

------
zimbatm
> Most importantly, like Auernheimer, researchers cannot always conduct
> testing with the approval of a computer system’s owner. Such independent
> research is of great value to academics, government regulators and the
> public even when – often especially when — conducted without permission and
> contrary to the website owner’s subjective wishes.

It would be fun to do that in the real world ; Yes mister, I was walking in
the mall at night. I though an independent review of their security system was
important. Here are some of their employee files that I found in a drawer as a
proof that personal information could be leaked.

:D

~~~
GeneralMayhem
More like "here are some of their employee files that were taped to the front
door, and which I leafed through out of curiosity." Anything that is URL-
accessible without password protection cannot seriously be compared to being
behind locked doors or even on private property. It's in public view.

------
jingo
The brief leaves me with the impression that

    
    
      curl http://example.com/page[1-100].html (sequential download)
    

where no URL is password protected (open access)

is still a violation of the CFAA if someone can convince a court that such
access was "unauthorized".

That's crazy.

And the prosecutor would probably proceed to call the above command
"software". As in "the defendant wrote software..." Makes for a compelling
narrative doesn't it? But the truth is, Daniel Stenberg wrote the software and
included this feature for a reason. Was that reason to assist users with
criminal intent? C'mon.

I can't help but think of all the many sources of exposed email addresses on
the internet, whether they are exposed through ambivalence toward users'
privacy or simply incompetence (as with AT&T).

Such sources are constantly mined by email marketers. WHOIS data comes to
mind. Correct me if I'm wrong, but the information this defendant accessed was
nothing more than email addresses. Is that right?

How many businesses on the web fail to adequately protect their customers'
email addresses? Many more than just AT&T. And how many businesses sell their
customers' email addresses to email marketers? Doesn't AT&T require customers
to opt out lest their email address and other personal info be shared with
AT&T "marketing partners". I don't know but I wouldn't be surprised.

I have no opinion on the guilt or innocence of this defendant. Maybe he
deserves to be prosecuted.

But anyone with half a brain should be disturbed that a CFAA prosecution can
proceed on a set of facts such as these. AT&T had to literally create
"damage", by racking up a $7000 postage bill. Did the defendant "cause" money
to be spent on postage? No, that expense was caused by AT&T's carelessnes in
exposing email addresses and their subsequent decision to notify customers of
their mistake by postal mail. Whatever happened to mitigation of damages?

I guess there's probably much I don't understand about this case. But reading
the brief, the interpretation of the statute sounds incredibly one-sided. With
this sort of loose interpretation, how can anyone defend himself against a
CFAA prosecution?

If a party wants to claim some access to their computer was "unauthorized",
then maybe they need to set up a proper mechanism for authorization. Usually,
that's a password. The URL's this defendant accessed, where he found email
addresses, were not password protected. Putting confidential information at
URL's that you don't think anyone will guess does not seem to me to be a
proper system for authorization. Claiming that anyone who stumbles on these
URL's is making "unauthorized" access seems a like a weak argument. Apparently
it'll do just fine.

------
puppetmaster3
People commenting are in
[http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect](http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect)

