
You May Not Like Weev, But Your Online Freedom Depends on His Appeal - Libertatea
http://www.wired.com/opinion/2013/07/dont-hate-the-crime-hate-the-person-how-weevs-appeal-affects-all-of-us/
======
nicholassmith
I agree with the sentiment that computer use crimes need to be reworked, and
that weev shouldn't have been hoisted by the fact he is a colossal dick but
the article seems to gloss over things for the sake of the argument.

    
    
       - `The spoofing was irrelevant; Spitler would have gotten the same email addresses if he had manually inputted the URLs on an iPad rather than a spoofed desktop browser.`, the spoofing is incredibly relevant, it's an important technical detail. Sure he could have sat and put each string in in a long laborious process, but they circumvented that and went straight to the faster option. Once they'd established there was a hole they could have stopped rather than going for the motherlode. 
    
       - `if there’s no technical barrier...`, there was a technical barrier, it was just very, very small. 
    

Don't misunderstand me, AT&T are massive idiots for letting a security
violation on that scale leak out into the wild, and they should't have been
surprised for it to be discovered, but if you're doing live security research
and find a hole is taking 114k email addresses a particularly good way to
report it?

He certainly didn't deserve the ridiculous amount of time that he got, but
he's not an innocent in this example by any stretch of the imagination.

~~~
sneak
It doesn't matter if they accessed one or a million - accessing information
published on the web SHOULD NOT BE CRIMINAL.

Whether you agree with his methods or not, there is no stretch of the
imagination that makes prison for downloading (even 114k of) them make sense.

It wasn't a hole or bug— it was an expressly implemented feature. ATT decided
to do it this way to reduce resubscription friction. The iPad sends the sim
serial (ICCID), and ATT sends the HTML form with the email address already
filled in, so all the user has to do is enter the password.

As it turns out, ICCIDs are sequential integers.

It should always be perfectly legal to access a remote computer system via a
publicly accessible interface. It's up to that remote system to respond
appropriately. In this case, it was working exactly as ATT intended.

Weev knew that the greater the number of records he got, the worse it would
reflect upon ATT, and rightfully so.

~~~
vertex-four
So, if somebody has SSH open on port 22, root password login enabled, and a
root password of Pa$$w0rd, and I guess that and log in, should that be legal?
If so, what about a more complex password? Should we legalise other remote
attacks on systems?

It could very reasonably be argued that in the case of AT&T's system, device
IDs count as passwords for accessing the system.

Simplifying things a little, there was an API, which looked somewhat like
this:

    
    
        GET http://example.com/get-email?device-id=123456
        > example@example.com
    

Now, if we replaced that with some sort of bespoke raw socket interface that
somebody would have to reverse-engineer:

    
    
        CONNECT example.com:4567
        > <somemessage>123456<somemessage>
        < <someresponse>example@example.com<someresponse>
    

Would you still be arguing "it's on the web"?

What if I added a field named "password" which always had to be the same
value, which was distributed to all devices?

What if it wasn't email addresses, but instead credit card data, or sensitive
data such as your race, religion, sexuality, political leanings, medical
information...?

I'm not attacking you, simply stating that in my opinion, it's not as simple
as "if you can access it, it's public". There's an expectation of privacy for
many types of data, especially when the data owner is not explicitly intending
to publish the data.

~~~
betterunix
The expectation of privacy covers _the company_ , not the hacker who downloads
the information. What differentiates hooking up an insecure, password-
authentication-based system to the Internet, and leaving a plaintext copy of
the data on a hard drive on a park bench somewhere? Holding companies
responsible, and more responsible than hackers, would improve the state of
computer security in short order (to everyone's benefit).

~~~
vertex-four
I would hold both responsible quite happily and independently of each other.
AT&T obviously did not heed the user's expectation of privacy in this case -
they could've done so using a challenge-response authentication system with
the response algorithm protected by DRM on the iPad - but in addition, Weev
could reasonably be expected to understand that this was not supposed to be
public data.

Additionally, the expectation of privacy, in my opinion, covers the data
owners (the people who gave the company the data), not the company who is
merely holding and processing the data. Although the US has rather messed up
data laws compared to the EU, so I am not sure whether this would be true over
there.

------
linuxhansl
A few points that stuck out:

* "AT&T representative testified its reputation suffered as a result of the hack"

No, their reputation suffered, because they were incompetent. Ironically,
without this trial I would have never heard about this.

* "At sentencing, instead of hearing about the effects of the iPad “hack,” the government recounted in detail Weev’s “attitudes” towards others on the internet."

That is because of the adversarial legal system in the US. All that matters is
to sway an uninformed jury. The specific matter of the case is almost
irrelevant as long as the jury comes to a "guilty" verdict.

Lastly, this reminds of a civil version of the current Snowden debacle:
Attempt to prosecute anybody who reveals wrong doing or incompetence.

~~~
jakejake
I was a witness for a trial once and it's kinda bizzare. After all of the
lawyers speeches and questions and explanations of the law - in the end it
just boils down to how 12 random people feel about it. I left with the feeling
that the process is fair only in the sense that it is equally random and
unfair to everyone.

If the prosecutor is able to make you seem unlikable, or you do it to
yourself, you most definitely increase your risk of being convicted. Mr.
Auernheimer strikes me as somebody who enjoys being shocking and perhaps
unlikable in the traditional sense, which is not an ideal situation in court.

~~~
pcwalton
Well, as a defendant you can waive your right to a jury trial, and many people
do for this reason.

~~~
jakejake
That's interesting. I actually didn't know that you could do that for a
criminal crime except in the case of a plea bargain.

------
stfu
I, for one like Weev. He is a boundary pusher. Many even around here on hn
might perceive his stuff as tasteless. But I sincerely wished more people were
as dedicated to their "ideals" as Weev is.

Defending free speech means standing up for people who have controversial
views - no matter how unease you personally are with these views.

~~~
rayiner
How do you make this a speech issue?

~~~
sneak
Weev was surveilled and harassed by the feds for ages before they finally got
this one to stick.

He'd been on their radar for years due to his unpopular speech.

~~~
at-fates-hands
He claims they tried to frame him 5 times for terrorism, yet I can't find any
articles which details what happened. Is there any solid evidence of this, or
is it mainly speculation?

Also, if you're already on the FBI's radar, wouldn't you think it be smarter
to lay low and wait until things cool down before you start hacking again?

~~~
Zigurd
Depending on which list you are talking about, there are tens of thousands,
hundreds of thousands, or millions of Americans on "The List." You might be
one.

------
mjn
The brief is actually quite readable:
[https://www.eff.org/file/37297](https://www.eff.org/file/37297)

If you're already familiar with the background of the case, for the meat of
the argument on appeal, skip to p. 15 (26th page of the PDF), starting with
"Summary of Argument". That section lays out the five objections being raised
on appeal, and is then followed by five sections making the detailed
arguments.

edit: direct link,
[https://www.eff.org/file/37297#page/26/mode/1up](https://www.eff.org/file/37297#page/26/mode/1up)

------
IanDrake
[https://www.eff.org/deeplinks/2013/06/eff-access-public-
webs...](https://www.eff.org/deeplinks/2013/06/eff-access-public-website-not-
crime)

A link to the Craigslist vs. 3Taps spat in this article brought back memories.
Craigslist had also threatened me with a C&D letter suggesting they'd use the
CFAA to lock me up. I contacted the EFF who promptly told me to go screw...

I assumed that was because Craig is on the board of advisers and CL was a
major sponsor. I'm glad to see they're finally helping someone against the
giant internet bully that is CL.

------
coding123
so here's the solution. 1) Make a website called "freeweev.com" or something
2) Put some legal mumbojumbo at the bottom of the site that says something
about unauthorized usage of this website is a crime. 3) Make the post-signup
page URL look something like this:
[http://freeweev.com/?id=12](http://freeweev.com/?id=12)

That simply says "Your email: ...@gmail.com will be updated when we have info
on the case. Thanks for your interest" 4) Let people "find this" 5) Get lots
of people to report on the problem 6) Fix the problem after the press gets it
7) Freeweev.com takes everyone to criminal court under CFAA. No lawyers
necessary, just tell the Judge that there appears to be no difference in these
cases as the AT&T case, all of these people that hacked our site should go to
jail for 41 months. Also make sure that this involves MANY people. 8) Legal
breakdown, no software development for anyone (like the screen-writers strike
right?)

------
onedognight
This is the same as if the URL was the following and all you had to do was
change the phone number and you would get an email address.

    
    
        http://att.com/email?phone=555-1212
    

And Weev noticed this and wrote a for loop to try all phone numbers.

------
aclevernickname
What a useless article. Jury found weev guilty already, and now they're filing
an appeal. No word on when the appeal will be heard, just 1,000 words to fill
up that lack of information, combined with linkbait headline.

------
andyzweb
free weev

------
lesslaw
It is a terrible decision

    
    
        curl http://domain.com/showdocument?[00000-99999]
    

should _not_ be a crime!!

~~~
davidw
What if doing so killed a person for each ID at showdocument? Ok, that's
pretty absurd. What if it wiped out their bank account?

Don't you think that the consequences should depend on what the action
actually accomplished, rather than the action itself? Flicking a lighter is
generally pretty innocuous, but if done to light a house on fire, it means
it's a bit different - right?

Yes, it's their fault too for leaving it open, but you had a choice when you
decided to access it N000 times, rather than saying "oops, that does something
bad, I think I'll stop".

I don't think the punishment fits the crime in this case, but I don't think
he's entirely innocent either. Once you've shown that someone stupidly left
their door open, the polite thing is to let them know, rather than walking
around in their house looking at all their things to show them the error of
their ways. IMO a fine would more than suffice as a punishment, though.

~~~
betterunix
"What if doing so killed a person for each ID at showdocument? Ok, that's
pretty absurd. What if it wiped out their bank account?"

Shouldn't you hold the people who created that system responsible, rather than
the person who used it? If I rig up my cell phone to a gun, so that every time
someone calls it it shoots at a crowd of people, should the people who call it
go to prison while I walk free?

~~~
davidw
If they know what happens when they call, yes, they should go to jail too.

He knew what he was doing once he'd pulled down a few records.

Also, yes, ATT should be held responsible for implementing lame security.

~~~
betterunix
Sure, but my point is that he has no greater responsibility than AT&T does.
Why are we acting like AT&T is an innocent victim?

~~~
davidw
> Why are we acting like AT&T is an innocent victim?

No one here is. I'm not sure why no one has done anything to them, legally.
It'd be interesting if someone who actually knows what they're talking about
in terms of the legal system about could comment on it.

