
Internet troll “weev” sentenced to 41 months for AT&T/iPad hack - jessaustin
http://arstechnica.com/tech-policy/2013/03/auernheimer-aka-weev-sentenced-to-41-months-for-attipad-hack/
======
DigitalSea
As much as this guy deserves some kind of punishment for the horrible way he
has treated people over the years, he doesn't deserve 4 years for being a
class-a asshole to people. What he did wasn't a hack, heck he didn't even
write the script that apparently scraped the data from the URL. A 12 year old
kid with an introduction to PHP book could even write a PHP script that did
what Weev did, it's not a hack it's a cheap exploit (I've done this with sites
like Google & Yahoo for scraping search results before). AT&T are somewhat to
blame for failing to protect the privacy of their customers in this instance,
a company has a duty of responsibility to ensure it takes reasonable measures
to protect customer data.

If I were the judge, I would have sentenced him to maybe 1 year (for releasing
the info publicly), maybe made him serve 6 months of the sentence and given
him a 3 year good behaviour bond with some conditions on getting some
counselling for his obvious narcissism problem. The justice system really
needs to get with the times, because these computer related
hacking/cracking/exploiting incidents are only going to continue being a more
common occurrence. The justice system is riddled with judges in their mid to
late 60's who were raised in a non-Internet world and thus cannot truly
understand the depth cases like these have or comprehend the extent as to how
these defendants should be prosecuted.

~~~
baddox
Considering he used absolutely no violence against anyone, I don't think he
deserves any violence to be used against him (including, obviously,
imprisonment).

~~~
jamesaguilar
Is there a way to enforce laws that doesn't require violence or the threat of
it?

~~~
jrockway
Yes. Garnish his wages.

Consider something like $10,000 over 10 years. Enough to notice, but it's not
going to make a software engineer homeless. (I think that's too much in this
case, but consider non-violent criminals in general.)

~~~
jamesaguilar
To be fair, this is a threat of violence against his employer if they do not
comply. Also, another way to look at it is forced taking, which is also
violent.

~~~
jrockway
Yes, but most employers err on the side of caution, reducing the likelihood of
violence. There will never be no violence until every individual on Earth
always acts in society's best interest without any persuasion whatsoever. I
think we can all agree that's not going to happen ever, so in order to
maintain order, we do need to threaten violence in the right circumstances.

~~~
jamesaguilar
Agreed. Your rationale and mine align, but are in opposition to the person I
originally responded to, who suggested a blanked prohibition on violent
punishment against non-violent offenders.

------
revelation
Yes hes a terrible person. This news article should still be about AT&T being
fined a bazillion dollars for not safeguarding that data (of course that never
happened).

Any technical person of course understands that what AT&T did is akin to
dumping money on the sidewalk, but you would never know from the cloud of
uncertainty and ignorance that permeates these articles. We can't get more
specific laws if the understanding of journalists can't rise above the word
"hacking".

~~~
IheartApplesDix
AT&T has a very important role in national defense to fill. This criminal is
luckily he didn't get lined up and shot for treason.

Sure, we can say that AT&T is a telecommunications company that should try to
protect the customers that pay for their service, but we all know that AT&T is
actually a government intelligence agency with all the expected bureaucracy of
a military sect. Protecting their customers is #1, and their customer is US
Gov.

~~~
phaus
>Protecting their customers is #1

If AT&T gave a single fuck about its customers, Weev wouldn't have been able
to access another user's account by incrementing a number in the URL.

If AT&T gave a fuck about its customers, they wouldn't have destroyed any
chance of having a white hat point out security flaws to them in the future,
before the black hats find them.

If AT&T gave a fuck about its customers, they wouldn't charge customers $20 a
month for texting capabilities that cost them a nickel to provide, or $40 a
month for $2 worth of bandwidth.

Should I continue? There are a million other reasons why your statement makes
no sense whatsoever.

If they cared about customers, they would be open to criticism when security
experts are ready to offer it behind closed doors.

~~~
unimpressive
While I may not necessarily agree with it, you're missing his point. Kind of
like "if you're not paying for it you're not the customer", his argument is
that because telecos handle communications from every organization and entity
in the US, it's inevitable that they become a de facto intelligence agency for
the federal government. (That is, their number one customer is their
government interests.)

It's sort of a corollary to the idea that all of these convictions are
intended to set the precedent that all Internet users are criminals.[0] If the
primary purpose of telecos is to serve the US government, and the US
government wants to criminalize Internet use, then it would make sense for
them to serve "hackers" with hefty sentences in cooperation with the
department of justice.

[0]: <https://news.ycombinator.com/item?id=5393561>

------
mcantelon
And a $73K fine. AT&T, meanwhile, helps the US state spy on its citizens.

<http://www.nytimes.com/2006/04/17/opinion/17mon2.html>

------
throwaway420
It's really bothering me that all of the newspaper stories about this are
defining this as a "hack". That has a very negative connotation and is
coloring peoples' opinion about this case.

As far as I understand it, the data was publicly accessible and merely
visiting the URL output the data he found. I don't view that as hacking.

~~~
neya
No, not really. Even I don't support his arrest and imprisonment, but what he
did was really a hack - He did something that normal people wouldn't do and
extracted those emails. Of course, AT&T was assholish enough to have him
convicted, but still, this guy was at wrong..He deserved a nice whack maybe,
but 3 years of his life is too much to pay for. Heck, even rapists and
murderers spend less than that, sometimes.

~~~
throwaway420
I'm harping on this word choice because most non-technical people do not
understand what technical people mean when they say "hack", yet every
newspaper article on this is using the word "hack" or "hacker" in the title
and coloring peoples' perceptions about this case in a negative and unfair
fashion.

If you use the word "hack" in front of normal people, they would probably view
it as some neckbeard breaking passwords and bypassing electronic safeguards in
a dangerous fashion. They would view it as equivalent to that scene from
Mission Impossible where Tom Cruise is dangling from wires to break into the
CIA or that scene in Terminator 2 where young John Connor gets easy money from
the ATM. I use those popular references because that's what most people think
is involved when you use the word "hack" when that's not the case here.

This case, if I understand it correctly, literally involved somebody visiting
a URL. Whether he did so by typing it into his browser or using an automated
program or not doesn't change the nature of the action to me.

~~~
twoodfin
I don't think you really mean that. If your bank were open to an XSS attack
that "only" required crafting a particular URL to allow access sufficient to
transfer funds, I don't think you'd be consoled that the "hack" that drained
your account was, at heart, only a matter of visiting some URLs.

Obviously this "hack" was simpler, and AT&T's security was lousy. But the
simplicity of an attack is not an excuse for mounting it.

~~~
wnight
In this "attack" the URL was incremented by one.

I've written a lot of loops, and incremented a lot of numbers, and none of
them have ever become properly escaped XSS exploits, or malformed YAML, etc.
If your bar for "hack" is so low that we're training pre-schoolers to
accomplish it, it may lack all descriptive power.

URLs are by design human readable and human editable. Simple discovered usage
of these resources is not hacking, it is intended.

Imagine you're reading a story at example.com/stories/bears-part_1_of_3.html
and just as it gets good, it's done. Without so much as a "The End".

Do you sit dumbfounded, or do you hack the bejeezus out of the website?

See how silly that sounds. So lets just say you "went to the next page".

~~~
frou_dh
Call it "Crafting a URL for $INTENT" and save all this talking past each
other.

~~~
wnight
Gotta make it seem scary somehow.

------
unix-dude
Absolutely ridiculous. From what I've read about "weev", he wasn't really the
nicest guy on the 'net. I don't know specifics, but really, I don't think they
matter.

Here we have a person accessing publicly available data on a public server.
Its analogous to ATT posting customer information in a public alleyway (maybe
not intended for public viewing, but within the legal possibility of the
public to view), and having someone take a picture of the information.

No violence, no trespassing. Disseminating information left sitting around ==
Jail. This kind of crap needs to stop.

~~~
Evbn
So if I peep in your home window and photo you naked and photo your documents
and post it all online, not illegal?

~~~
corin_
If those documents you take a photo of are "an email address" and posting it
online is "giving it to a journalist who redacts information before taking a
screenshot and doesn't release a dump of the data" then I would suggest that,
while I wouldn't be too happy with you taking photos through my window, I
wouldn't expect you to go to jail for it.

~~~
efdee
I'm amazed by the hoops people will jump through to protect this rat. He
already admitted that his ultimate goal was to "harass and embarrass" "rich
people".

~~~
corin_
I'm pretty indifferent towards him, he does seem like a moron and an asshole,
but this is pretty much the first time I'm hearing anything about him (before
I recall hearing "weev" and a few details about the AT&T stuff, nothing about
who he is).

Him being an asshole doesn't mean he deserves jail time for what he did.

How about rather than deciding he deserves punishment because you don't like
him, and then getting upset when anyone disagrees with you, judge his "crime"
and decide whether it deserves jailtime. After that, feel free to separately
to judge him as a person and decide you won't lose any sleep over his
punishment.

------
noonespecial
I'm afraid the message the DOJ is sending with this sort of thing (Aaron
Swartz in mind as well) is "in for a penny, in for a pound". If you're going
to do the hack, _f#ck them up_ , because they're going to sentence you as if
you had in any case.

~~~
Evbn
Exactly. The prosecution industry thrives on crime, not on preventing crime.

------
ianstallings
Although I do think the sentence was ridiculous this is a good life lesson.
When a man or group of men hold the fate of your life in their hands, take the
moment seriously. Those smart comments will seem like a waste of time once
you're behind bars trust me. Anyone that's been to jail can tell you only one
thing - do anything you can in your power to avoid going there. At the point
of sentencing the gears are in motion. Don't apply oil by being an open-
mouthed fool.

~~~
sneak
The law is unconstitutional and it will be thrown out on appeal. It doesn't
matter if he gets 40 months or 4000.

Knowing that, why not do it like he did?

~~~
ianstallings
Because then he could get out and be free sooner? If you don't see the value
in that then I don't know what else to say.

~~~
sneak
He would not have been out any sooner. Perhaps you misunderstand me.

------
D9u
Fuck AT&T and the Judge who granted them, and Verizon et al, immunity for
their cooperation in the unconstitutional domestic surveillance program.

The corporations and government can get away with what amounts to murder, yet
this troll gets locked up for harming no one?

Where is the victim? Where is the harm?

Does the punishment fit the crime?

------
jackmoore
Last night's discussion: <https://news.ycombinator.com/item?id=5393367>

~~~
smsm42
And another one: <https://news.ycombinator.com/item?id=5395112>

Looks like every article on the net about it will get separate topic.

------
dmix
"Hack" used lightly.

