
Andrew 'Weev' Auernheimer Faces Jail - mediagearbox
http://www.businessinsider.com/andrew-weev-auernheimer-att-ipad-hacker-sentencing-2013-3
======
eldr
I wonder how he would be treated if he had picked up a stack of paper
printouts an AT&T employee had left on a park bench and taken it to a news
outlet in order to showcase AT&T's recklessness with customer information?
Would Aaron Swartz's case have been handled the same way if he'd gone into a
library and photocopied a whole heap of journal articles? The powers that be
seem terrified that someone might use technology in a way which they can't
control. Apart from the disgusting human rights abuse that these cases
illustrate, I worry about the future when people like judges and prosecutors
think it's at all fair or reasonable to put people in jail for freely
accessing information.

------
Encosia
It blows my mind that someone could get 10 years for idempotent operations on
what was essentially a public API. Put in any other context than "scary
computer hacking", it would be obvious to most people that the insecure system
was at least as much to blame as this kid.

~~~
objclxt
Firstly, the laws around this sort of thing are _very_ stupid. But with that
said...I'm not wholly sympathetic here.

The disclosure was _totally botched_. The IRC logs that came out during the
case showed that Andrew and Dan (Spitler) talked about shorting AT&T stock
(they ended up not doing this, but it's not the sort of thing you talk about),
and going directly to news organisations, bypassing AT&T. They also considered
(perhaps jokingly, but again, not something you joke about) selling the e-mail
addresses to spammers.

Andrew also initially told Gawker he'd disclosed to AT&T, when in fact he
hadn't (Ars has a good summary here[1]).

I am definitely not saying that a ten year sentence is warranted, or that any
sort of custodial sentence is appropriate. In fact, I doubt he'll be given 10
years, more like 2-4 (since his fellow defendant, who plead guilty, got 12-18
months). But I do think the disclosure was handled really, really badly. I've
found and disclosed very similar vulnerabilities - I would not leak the entire
database out. That's just crazy.

Again, it's the old black/grey/white hat argument again. But to go public
without _even informing_ AT&T doesn't endear him to me.

[1]: [http://arstechnica.com/apple/2011/01/goatse-security-
trolls-...](http://arstechnica.com/apple/2011/01/goatse-security-trolls-were-
after-max-lols-in-att-ipad-hack/)

~~~
edem
I totally agree with you. They don't hand out 10 years for nothing. It is a
little harsh though.

~~~
yardie
_They don't hand out 10 years for nothing._

LOL. If you mean literally nothing than no. But the war on poverty, war on
drugs, and 3-strikes means the US justice system is handing out long sentences
for black and hispanic males 3x the rate of white criminals.

------
DoubleMalt
Every piece I read about him made me like him less.

But despite my deep feelings of antipathy the charges that are brought against
him can NEVER warrant 10 years of prison.

That's ridiculous.

~~~
objclxt
In many countries simply _accessing a public server without consent_ is
illegal. Here in the UK the Computer Misuse Act contains the following gem:

> _It is an offense to make a computer perform a function and for that
> function to be deemed unauthorised by the owner of that computer_

This is fantastically broad. I believe it's similar in the US. It's led to
convictions for things like directory traversal, XSS testing, and even people
looking for vulnerabilities with good intentions. If you're doing stuff like
this, _be aware of the risk_. Some companies are very good about it (Facebook,
Google, etc). Others take a far dimmer, litigious view (AT&T?).

These are not laws that are taught in a civics class. I think it's important
that until the laws can be changed (and they definitely _should_ be changed)
that people in this field know the risks, and weigh them up accordingly.

I agree with you that Andrew's approach is quite...antagonistic. I wouldn't,
for example, go on the record saying I think "a sane society would lynch [...]
Carmen Ortiz". Personally, I'm not in favour of public lynchings. This isn't
going to endear you to the court, or to those who could help change the law
for the better.

~~~
rorrr
> _In many countries simply accessing a public server without consent is
> illegal_

1) Set up a public server

2) Wait for google bot to show up

3) Press charges against google

4) Sue in civil court

5) Profit.

~~~
arethuza
And in some countries you can only sue on the basis of an actual loss so as
you haven't lost anything you have nothing to sue for...

~~~
prawn
There was a case where a search spider deleted all content from a database by
following delete links. Would that count?

------
rdl
This sucks. weev is an asshole and troll, but he's also a friend, and he
hasn't done anything a lot of other people don't do routinely. I hope he gets
a suspended sentence, but I think the 50/50 is he'll get ~3 years in total,
served at least 1.5y in a federal prison.

------
sergiotapia
"In 2010, Auernheimer and a compatriot, Daniel Spitler, discovered that
visiting an unsecured AT&T Web server and entering a number associated with
the customer's wireless account allowed him to obtain that customer's email
address.

By altering the number and repeatedly querying the server, Auernheimer and
Spitler were able to obtain hundreds of thousands of email addresses, which
they then released to Gawker."

===

Amazing that something as simple as that landed him 10 years. This is
something even I have done with some servers for telecoms in my country. And
trust me, I'm no hacker. I just know basic HTTP GET request parameters, and
what asshole doesn't know about those?

The laws in the US are terrible.

~~~
crusso
Testing car door handles in a full parking lot is amazingly simple too. Does
that mean it's okay to look through any unlocked cars' glove compartments to
collect personal information of the owners?

Auernheimer crossed a line. The punishment seems excessive, but then again I
don't know all the details of what he tried to do with the data.

The fact that he obtusely refuses to recognize that he crossed a line doesn't
exactly make me feel sorry for him.

~~~
rcfox
If you have a lot full of unlocked cars, perhaps you should bear some of the
blame too?

When Sony was hacked and user data was leaked, they received quite a bit of
blame. At least they had some semblance of security. AT&T was wide open.

~~~
Nrsolis
"But your honor! SHE WAS ASKING FOR IT! You can see how she dresses."

~~~
rcfox
You've missed my point. If you were in a parking lot and found your car to be
unlocked, this might alarm you. You might try someone else's door to see if
it's similarly unlocked, and just to be sure it's not a fluke, you might try
another.

I'm not even going to try to adapt that to your rape scenario. I feel like
there should be an equivalent of Godwin's law that I could appeal to in this
context.

~~~
crusso
You paint far too innocent a picture of what happened. If we're going to use
analogy, can't we make an effort to have it be accurate?

Let's roll with your scenario -- Do you systematically go through all the cars
in the lot? Do you collect personal information from those cars, like names on
the insurance? Do you get busted making on-the-record comments about
exploiting the use of that data for your own personal gain?

Seriously, weev was hardly being a good samaritan. He was doing something he
shouldn't have been doing, made some stupid/incriminating comments in a public
forum, then didn't handle the data properly. Worst of all, he's facing serious
jail time and is too obnoxious to even admit that what he did might have been
inappropriate.

Personally, I'm all for living in a world where you can leave your car door
unlocked and not be blamed when someone opens the door. Call it a Godwin-esque
move if you want, but I'm just not into blaming victims.

------
arbuge
It seems to that the real villain is AT&T, for making this private data
entrusted to its care freely available to the public. What criminal and civil
liabilities will it face?

~~~
crusso
That's disingenuous. "Freely available" implies that AT&T desired to give this
data away or advertised it knowingly. Clearly they didn't.

What Auernheimer did, with intent, was to bypass AT&T's intended use of the
system.

What AT&T did was incompetent or perhaps even negligent by a reasonable notion
of corporate coding standards. You'd need to dig a bit more to learn how
systemic the incompetence/negligence was before attempting to sign appropriate
blame, though. Maybe some contractor got into the system and made the change
that made that exploit possible the day before and deployed it without
following AT&T release guidelines. I dunno. Knowing that kind of info matters,
though.

Let's not twist the facts of what happened in order to justify different
outcomes.

~~~
arbuge
Disagreed. The facts are indeed that AT&T made this freely available... my
definition of making something available is that it is readily available for
the taking, whether I desired to give it away or not. If I leave my front door
open due to negligence, I probably don't desire to be burglarized, but it is
true to say that I have made my house contents freely available. If my house
contents include a laptop full of people's private data, then I think it's
reasonable I should face some penalties.

As to your other point, AT&T is responsible for the actions of its contractors
as well as for its full-time employees.

~~~
crusso
For anyone with a little knowledge about locks and basic tools, no
conventional door lock prevents entry. So by your logic, nearly all house
contents are freely available.

Regarding AT&T, it's not a question of responsibility - it's a question of a
level of fault that is negligent. At some level, it's your responsibility
because you gave AT&T your data, right? At some level, it's your
responsibility because you have an email address, right?

Without a detailed assessment of many factors, just throwing out there that
AT&T is negligent seems to be fairly irresponsible.

~~~
arbuge
Nah. If I give any website my email address, I have a reasonable expectation
it won't be published on that website in a public manner ripe for harvesting.
Unless of course the Ts&Cs I'm signing explicitly say it will (somewhere
prominent, preferably in bold red with flashing letters).

------
rohern
Here is a very good lecture on the state of cyber crime law. I recommend it to
everyone in this community. Things are crazier than you are probably aware.

<https://www.youtube.com/watch?v=q0Z_z4EHq6M>

------
nwh
This website just showed a full page advertisement, then kicked me back to
their home page when I clicked the continue button. Monumentally useless.

------
osamas_mama
i love weev and i had a blast trolling with him back in the day but he's
nothing like swartz. the biggest split being that swartz had good intentions
whereas weev was having fun.

i don't think he should be imprisoned for exploring at&t's god awful security
but i also don't think he should be worshipped.

------
jrockway
What exactly was he found guilty of?

~~~
andyjohnson0
"Andrew Auernheimer, 26, of Fayetteville, Arkansas, was found guilty in
federal court in New Jersey of one count of identity fraud and one count of
conspiracy to access a computer without authorization." [1]

Those were the charges. Ridiculous in my opinion.

[1] [http://www.wired.com/threatlevel/2012/11/att-hacker-found-
gu...](http://www.wired.com/threatlevel/2012/11/att-hacker-found-guilty/)

~~~
jrockway
What is AT&T guilty of? Is it now legal to publish personal information
without any authentication?

~~~
andyjohnson0
I just listed the charges, I didn't say I agreed with them. And I didn't say
anything about AT&T.

It seems clear that AT&T failed to protect their customer's personal details.
Whether that makes them criminally liable depends on US law, about which I
know almost nothing. This [1] article seems to imply that it is fairly weak
compared to European data protection laws, so it may be that AT&T did nothing
wrong in a strict legal sense.

While its tempting to think that he was just made an example of for
embarrassing a corporation, he did write a script to harvest 120,000 email
addresses from the AT&T server. I'd say that constitutes criminal intent, even
if he had no intention of using the addresses for a criminal purpose.

There are two problems here: 1. absent or weak data protection laws, and 2.
disproportionate sentencing guidelines (up 10 years) for what in this case is
basically a victimless crime.

[1] [http://www.nytimes.com/2013/02/03/technology/consumer-
data-p...](http://www.nytimes.com/2013/02/03/technology/consumer-data-
protection-laws-an-ocean-apart.html?_r=0)

~~~
betterunix
"While its tempting to think that he was just made an example of for
embarrassing a corporation, he did write a script to harvest 120,000 email
addresses from the AT&T server. I'd say that constitutes criminal intent, even
if he had no intention of using the addresses for a criminal purpose."

Criminal intent...to do what exactly? Email people? Was he planning to send
them spam?

Why are we punishing someone who writes a script? Do we really want to live in
a society where programming your own computer is a crime?

~~~
andyjohnson0
_"Criminal intent...to do what exactly?"_

Intent to commit a criminal act: "conspiracy to access a computer without
authorization". If he'd just accessed a few accounts then that could be
attributed to user error or a technical fault, if anyone ever even noticed.
Put what he did shows persistent intent to do something which is illegal in
the US, even if he wasn't aware of the illegality.

Look, I agree with you. Jailing this guy is manifestly absurd, stupid, and
cruel. I was just trying to explain who other people, who may hold differing
opinions to you and I and happen to write the law, might see things. Doesn't
mean I agree.

~~~
jessaustin
That's circular reasoning. We started with, "he accessed a computer". Then we
asked, "what was his criminal intent in accessing that computer?" You can't
answer, "to access that computer."

 _If_ he had sold the data to the Russians, _that_ would have been the
criminal intent we're seeking.

------
Nursie
Yeah this is ludicrous. AFAICT, AT&T effectively published this information to
the web, this guy just pointed out where it was.

Not a crime.

~~~
Volpe
Didn't he try to extort money out of them after spidering all the information?

~~~
sp332
He talked about it, but I don't think that actually happened. The chat log was
used against him at the trial anyway.

~~~
objclxt
He was charged with conspiracy, so it's relevant that it was discussed.
Conspiracy usually requires discussion of the intended crime, and then at
least one party to commit an act that furthers that crime. It doesn't actually
require the crime itself to be committed.

------
maeon3
When everyone is a criminal all the time, with selective enforcement, it makes
it easier to tax and control. When political winds shift, you can eliminate
anybody you want, because you just make an excel spreadsheet of political
enemies and then forward it by email to law enforcement for increased
survallence, and whamo, felony convictions, how much you want? 1 year? 5
years? 10 years?

The government is just trying to maintain its power over the people, when
federal reserve realizes there is no other alternative except to default on
the US treasury, there is going to be a lot of unrest, and the internet will
be a focus point of governmental rebellion, it's important everyone who
accesses the internet is a felon. Especially the coders, like this one, who
will be making the rebellion possible.

You got to put the fear in them. We may be the ones, like our founding
fathers, who have to write up a new constitution, bill of rights, and spawn a
new nation to break away from the defective one. Like the good men of old time
broke away from Britain. The battlefield this time around will not be on the
shores of Boston, the battlefield will be software, servers, clicks, and smart
phones.

As with all battlefields, the side who wins is the one who prepares the most.
This is why we are cracking down on website clicking by programmers, rather
than cracking down on governmental corruption.

~~~
rwmj
I guess you must live in China. Here where I live, the government is made up
of ordinary people who are also subject to the law, and we can vote to change
the law whenever and however we want.

~~~
rytis
Just out of curiosity, where do you live?

~~~
rwmj
The UK, but my answer would equally well apply to the US or the majority of
democratic nations. There's not a Big Conspiracy. There's just lots of people,
often stupid and ill-informed, but nevertheless people voting for what we
want.

~~~
betterunix
"There's just lots of people, often stupid and ill-informed, but nevertheless
people voting for what we want."

How exactly do you think uninformed people are voting for what they want? The
USA is a country where people are _surprised_ by what is illegal.

~~~
rwmj
Firstly, it is possible to go out and inform people. Best to get off HN and
out of the house, because only a tiny number of pretty intelligent people use
HN and all of us have similar backgrounds and beliefs.

Secondly, although I think HN-readers would make great voters on subjects we
care about, eg. how the Internet should be regulated, yet I'm sure _we'd_ be
mostly stupid and ill-informed about things that we don't know or care about,
eg. farming regulations, or sickness benefits for elderly mentally-ill
patients, or a thousand other specialized subjects.

~~~
betterunix
"yet I'm sure we'd be mostly stupid and ill-informed about things that we
don't know or care about"

That is not the issue. The issue is whether or not we are _expected_ to follow
laws that we know nothing about, particularly since ignorance of the law is
not considered a valid defense in this country. If you are not running a farm,
you are not expected to adhere to farming regulations and you could not
violate those regulations. On the other hand, if you _use_ a computer -- and
the majority of US citizens do -- you _are_ expected to abide by computer
laws.

Right now, there are a lot of laws that _everyone_ is expected to follow but
that few people are aware of. Most Virginia residents had no idea that
opposite-sex cohabitation was illegal when that law was repealed -- millions
of people in that state could have faced prosecution for a law they were never
aware of (and in the 90s a woman was threatened with prosecution as part of an
attempt to shut down her business). Typically, the police are unaware of these
laws and so most people will never be arrested even if they are in violation.
On the other hand, when the government _wants_ to prosecute someone (e.g.
Alexander Shulgin), all they need to do is look hard enough to find a law the
person violated. Sometimes the government seeks nothing more than to set a
precedent (Aaron Swartz) that would allow them to prosecute others. That is
where the real danger lies: the government is limited not by the lack of
criminal laws but by its own inefficiency in searching the legal code.

Most people are entirely unaware of this situation and believe that as long as
they are not harming anyone they are safe. It is hard to raise awareness,
because most people do not see anyone being prosecuted in this way, and even
when they see it they usually have a hard time feeling sympathy for the
defendant (e.g. Lori Drew). After all, who can feel sorry for someone who
collects this sort of artwork:

[http://www.japanator.com/man-arrested-for-manga-
collection-t...](http://www.japanator.com/man-arrested-for-manga-collection-
the-comic-book-legal-defense-fund-will-take-the-case--8753.phtml)

