
iPad Hack Statement Of Responsibility - acremades
http://techcrunch.com/2013/01/21/ipad-hack-statement-of-responsibility/
======
droithomme
Twelve months ago on this very site it was discussed how a private company
named Path was, without permission and certainly illegally, stealing the
entire address books of users and uploading it to their own servers. The CEO
of that company appeared right here on this board personally (not surprising
he follows this board as he has invested in YCombinator projects
[[http://www.forbes.com/sites/nicoleperlroth/2011/08/25/yc-
com...](http://www.forbes.com/sites/nicoleperlroth/2011/08/25/yc-combinator-
start-ups-guess-which-will-be-worth-a-billion/)] ) and not only defended his
actions but justified them, proud of the fine work of data theft he engaged
in. [<https://news.ycombinator.com/item?id=3563368>] He also said in a comment
on his blog that these actions of stealing entire address books was a common
practice in industry: "This is currently the industry best practice"
[<https://news.ycombinator.com/item?id=3563639>]. And in fact it turned out
that companies as large as Twitter were also engaging in the same type and
manner of data theft [[http://articles.latimes.com/2012/feb/14/business/la-fi-
tn-tw...](http://articles.latimes.com/2012/feb/14/business/la-fi-tn-twitter-
contacts-20120214)].

At that time some HN members, possibly some of the same ones here attacking
this hacker (perhaps with good reason), defended the data-theft-for-profit
actions of these companies.

These two positions are not consistent. People may wish to pick a side of this
issue and stick to their position if they wish to be taken seriously, or frame
a coherent argument why it is acceptable for corporations to engage in data
theft from individuals but the reverse should be severely punished with prison
time and other penalties.

Those who genuinely believe that weev should be prosecuted and imprisoned for
his actions may wish to consider if the same call should be made for criminal
proceedings against the larger scale and more clearly profit driven data theft
actions taken by large and well funded companies such as Twitter, Path,
Facebook, Apple, and many others.

~~~
pragma
Oh my God. Did you really just write a holier-than-thou post comparing Dave
Morin to weev? Have you even bothered READING anything weev wrote?

A lot of people will never speak out against weev because of his scorched
earth tactics. His list of enemies is a lot longer than a few Feds.

~~~
kylemaxwell
Yes, weev is an ass. I personally believe that, at some point, he probably
_has_ done something worth jail time. But this isn't it, and neither is being
one of the worst trolls on the Internet.

------
zmanji
If anyone thinks weev deserves any sympathy, you don't know the full story.
weev had malicious intent and wanted to harm AT&T by exposing users data.
Instead of doing anything remotely rational he took all the data and wanted to
sell it.

Laws take into account indent (mens rea) and there is a lot of evidence in his
indictment that he wanted to profit off this act. He shouldn't be compared to
Aaron Swartz

~~~
rdl
I know weev personally. He's "an unsympathetic defendant", and probably the
9th level Internet Troll, but his goal was fundamentally speech -- he wanted
to draw a lot of attention to the issue, and embarrass ATT (hopefully enough
that they'd stop being such fuckups about security), etc.

He wasn't trying to profit from this. If that had been his goal, he would have
been a lot more stealthy.

It's arguable that he had "cleaner" motives in his act than aaronsw -- some
people say aaronsw wanted to release all the files he recovered to the
Internet (although there's no proof of that); weev just wanted ATT to suck
less.

weev has _said_ things far worse than what's alleged in this case (that they
wanted to compile a list and direct market the users); yet, if you judge him
by what he's actually done, he's just an asshole at times, but basically
reasonable. Fortunately just being an ass isn't a federal crime (although I
guess conspiracy to be an ass is).

~~~
aneth4
So he committed a crime and wrote words that characterize the intent behind
crime in such a way as to increase prosecutorial interest and sentencing. Now
you are saying he was just joking around when he said those things?

Perhaps it's true, but it's stupid and it's hard for me imagine anyone taking
that explanation seriously, certainly prosecutors and judges.

If you walk into a bank with a gun and ask the teller for money, then say
"just kidding", .... Good luck.

~~~
rdl
Yes, weev is an idiot. Yes, weev is abrasive. Fortunately neither of those are
themselves crimes.

Weev has always taken _anything_ and turned it into drama. That's the whole
Internet Troll thing. A normal defendant wouldn't, when faced with a chance to
reduce his sentence by 1-3 years by "accepting responsibility", post something
like this to the press. It basically screams "upward departure" to a judge,
while at the same time rallying people on the Internet, which doesn't really
mean so much inside a federal ass-rape prison.

~~~
aneth4
There is a difference between being abrasive and openly declaring unlawful
intent. While the latter is not (always) illegal, it is a legitimate factor
for prosecutorial discretion and sentencing.

~~~
rsingel
Where was he openly declaring unlawful intent? The court transcript is on the
web.

------
DigitalSea
When you hear of horrible stores like that of Aaron Swartz and the author of
this insightful article Andrew Auernheimer it really paints a picture of just
how afraid the US government is of the Internet. People lament China for their
great firewall and control over its people and yet the US is starting to look
more and more like China everyday. This is how revolts against governments
start, absurd laws and persecution of innocent people which eventually pushes
people over the edge and if they don't kill themselves they uprise and society
gets thrown into disarray which only results in more oppressive laws and
absurd persecution, it's a horrible cycle.

All this guy did was exploit publicly available information. It seems the US
is now sending people to jail for pointing out other peoples stupidity. Sure
he probably went too far with the whole, "I want to embarrass AT&T thing" but
trolling is not hacking and it's not like Andrew had to bypass any form of
security to get the info in the first place.

Anyone would swear this guy found a way to steal credit card details...

~~~
warmwaffles
eh, this article doesn't paint the whole story.

~~~
DigitalSea
It doesn't need to paint the whole story. If the dude committed any overly
serious crime, he'd still be in custody right now awaiting sentencing. They
don't let you out on bail if you're a serious offender. I'm sure there is more
than meets the eye here, but given the the spotlight being shined upon hacking
cases like this of late, it's not hard to believe that what this guy says
isn't what went down. Andrew was obviously a troll in every sense of the word,
reckless and irresponsible but by no means did he have to bypass any security
measures to get the email addresses. I would argue it's the equivalent of a
bank leaving it's doors unlocked, alarm systems deactivated and lights on and
someone walking in and taking money, then the bank complaining they got
robbed, but this situation is blown way out of proportion and a metaphor like
that would be over the top.

What he did is no different to someone writing a script that scours the web
looking for email addresses (a tactic spammers have used and gotten away with
for years), except no trickery was required to get the addresses AT&T were
handing them over unknowingly without recourse. This can't even be considered
a hack, more of an exploit if anything.

The stupidity of wanting to embarrass was no doubt a really stupid move to
make, but definitely not some security defying hack. People shouldn't be
jailed for acting like idiots, AT&T should be the ones being scalded for
allowing this to happen in the first place. A company has a responsibility to
keep customer data safe, AT&T should be no exception to that rule.

------
crazygringo
From Wikipedia:

 _"On 20 November 2012, Auernheimer was found guilty of one count of identity
fraud and one count of conspiracy to access a computer without authorization.
Auernheimer tweeted that he would appeal the ruling."_

Is the problem that the laws themselves are terrible, or that the laws are
being misused by overzealous prosecutors? I mean, if changing a public URL is
considered "conspiracy to access a computer without authorization"... Or is
this just not the full story, and he really was trying to do some "bad" stuff?

But if not: what can be done to change the law? Is appearing "soft on hacking"
such a bad idea that politicians just won't support something better? Or is it
really difficult to craft laws that actually _do_ criminalize "bad" activity,
without also technically criminalizing innocent activity?

What can be done?

~~~
rayiner
The problem is that there is little consensus on what the boundaries in
digital space should mean. Law makers, not without a certain logic, approach
things from the principles of private property. Is changing a public URL
considered "conspiracy to access a computer without authorization?" Well why
would you do it, intentionally? Would you jiggle my door handle to see if that
would unlock it? And if it was a crappy lock and jiggling it did unlock it,
would it be unauthorized access to my property if you then walked in the door?

There is a line of thinking in the tech community that accessing data you're
not supposed to access is only "bad" if you do something "bad" with it. But in
meat space, we enforce fences in their own right, whether or not there is any
other criminal activity involved. Arguably, doing so makes the larger problem
of ensuring that their _isn't_ associated criminal activity more tractable.

Actually, real world example: over the weekend someone stole my phone out of
my (unlocked) car while it was parked in my apartment building's garage. Now,
let's say he hadn't stolen the phone. Just rifled through the glove box and
center console. No harm no foul, right? Of course not. We presume there is no
good reason to be looking through someone else's car, even if you fully intend
not to take anything.

Now, that doesn't mean we should treat digital boundaries the same as physical
ones, but I don't think it's as obvious as some people in the tech community
make it out to be that there shouldn't be penalties (of some sort--the
magnitude of such penalties is a whole another debate) for intentionally
violating digital boundaries, regardless of how well they are protected.

~~~
greenyoda
It's not likely that someone would get a long jail sentence for breaking into
your car and not taking anything. If they had never committed a crime before,
they'd probably get a fine or probation. There are usually monetary thresholds
for a crime to be considered "grand theft" (a felony) vs. "petty theft" (a
misdemeanor).

~~~
jamesaguilar
And if weev had seen the exploit, thought to himself, "heh, that's funny," and
not gone back, he would not be headed to prison. But, that isn't what
happened.

~~~
rsingel
If he found it and then sold it to a government agency, he'd be rich and not
in jail. Selling exploits to the government is a lucrative business. Google
"CIPAV", for one.

~~~
tptacek
Are you suggesting that the government would have purchased a bug in AT&T's
website?

~~~
rsingel
No. AT&T is willing to do anything the gov wants. Now, say it was a hole in
Gmail? I bet there's government agencies, foreign and domestic, that would buy
that for sure.

~~~
tptacek
There seems to be a pervasive notion that because mass-exploitable remote code
execution vulnerabilities have a market value, _all_ vulnerabilities do.
That's not true.

~~~
rsingel
Agreed. I stand corrected.

------
ghshephard
I wasn't sure whether this is a spoof or not. Is he serious when he writes -
"I did this because I despised people I think are unjustly wealthy and wanted
to embarass them. "

That was his admitted rationale - that he was seeking to embarrass people he
despised because they were "unjustly wealthy?"

~~~
webXL
There are plenty of ways to embarrass people that are legal, and possibly
moral. The question is: was this one of them?

~~~
jbigelow76
Another question would be is: does harvesting emails embarrass the, in his
words, the "unjustly wealthy"? Is it the CEO or one of the board members that
is responsible for web server configurations?

Obviously pure speculation (mixed with cynicism) recalling this story of the
email harvesting I have no problems imagining a conversation like this
occurred:

PR Flack: "Sir, we had a little PR snafu today and millions of email addresses
of paying customers were exposed."

CEO: "So what?"

PR Flack: "Well it looks bad sir."

CEO: "Fine, shitcan some 50K a year nerd in one of data centers and then issue
a press release indicating how seriously we take customer privacy".

------
gambiting
As a person coming from a former Soviet satellite republic, I must say, that
the more I read,the less and less difference I see between the countries that
are well known for disregarding human rights and the "land of freedom" - the
US. The only difference I can think of is that they probably won't shoot you
in the broad daylight, like it happens in Russia. But other than that, the
image is complete - if you do something the government doesn't like,they can
absolutely destroy you. They can put you in prison without a court order,
freeze your assets for indefinite amount of time, spy on you, send agents to
follow you, deny you the information why they are doing this, and they do
threaten journalists to not write about some cases or risk prosecution for
violating "national security". I am honestly sorry for people who live in the
US and happen to do something that their government perceives as wrong.

------
miw-sec-work
weev still thinks that AT&T 'published' this information. AT&T had no
intention on 'publishing' this information, he abused their system in order to
obtain it, then he leaked it.

No weev, you found a bug in their web app, then _YOU_ willfully published
other peoples personally identifying information for your own fame and glory.
Unfortunately, someone who's name and details you leaked didn't like that, and
called in a favor. The DoJ came after you hard.

Your little tech crunch article chooses to omit crucial facts, and you are
riding on the back of AAron Swartz again. You are nothing like AAron.

~~~
lessnonymous
But they did publish it. Just because they didn't _intend_ to publish it
doesn't mean it wasn't published.

Right now the URL I'm looking at has "id=5095821" in it. If I change that to
"id=5095822", I'm looking at something else published by Hacker News. But by
DoJ standards, I'm "hacking" and have broken the law if HN didn't deliberately
publish it.

weev is an ass. But he didn't hack anything.

These cases are trying to set a standard of "security by intent". There is no
such thing. It's like my internet banking saying "To access your bank account,
please type in your account number. Be careful to get it right or you'll be
looking at someone else's account"

~~~
ghshephard
He certainly hacked it - but that's not necessarily pejorative. Your average
individual couldn't just try entering the number into AT&T - weev had to spoof
the user agent, and, make some intelligent guesses as to what valid CCID's
would be.

It's not the world's greatest hack, but it certainly was using the system in a
manner that I'm certain AT&T did not intend. The IRC logs indicated that they
knew what they were doing was likely criminal, and if AT&T discovered them,
would "sue" them.

Whereas I'm guessing PG would be fine with you incrementing the number on the
HN URL. And I'm pretty certain that's not criminal behavior.

It's important to note, that just because weev was hacking the AT&T site,
didn't mean it was a _criminal_ hack. In my mind it barely crosses the line -
and he gets punished somewhat, but I'm thinking a week in jail and 30 days
community service - not the silly levels that the feds are going to in this
case.

~~~
gambiting
So what you are saying is, that AT&T could have made a webpage with all user
data in plain text,and just write at the top in capital letters: "YOU ARE ONLY
INTENDED TO LOOK AT YOUR OWN DATA, DISREGARD EVERYTHING ELSE" and it would be
magically ok, because you know, if you look at other people data then you are
not using the webpage as it was intended to? Because this is basically what
they did. Yes, an average American individual would not know how to change the
URL,but that does not mean that the data was secure. And AT&T has all legal
obligation to keep their customer data secure.

~~~
ghshephard
I'm not saying AT&T was in the clear. Obviously just requiring a reasonably
easy to guess number to secure an email address is amateur hour. But, at the
same time, just because web security is easy to break into, doesn't give
people free reign to go traipsing through and pull out what they can.

Keep in mind - 99% of the population wouldn't have been able to figure out how
to spoof the user-agent to get into the AT&T site, and most of those that
could, wouldn't have gone beyond extracting a couple IDs, and then notifying
AT&T.

Weev's sin (if not felony behavior) was extracting 100,000+ personal email
addresses, and the exposing them for the sheer purpose of embarrassing people
he despised. Do I believe he engaged in illegal behavior? Yes. Do I believe it
merits years in Jail? No.

With regards to legal obligations - In California, the closest I can find is
Bus. & Prof. Code §§ 22575-22578 [1]. It is a requirement for site collecting
personal information to "conspicuously post its privacy policy on its Web
site"

I can't find any laws in California that require the securing of this
information beyond that, though.

[1] [http://www.leginfo.ca.gov/cgi-
bin/displaycode?section=bpc...](http://www.leginfo.ca.gov/cgi-
bin/displaycode?section=bpc&group=22001-23000&file=22575-22579)

------
Empro
This is one side of the story. I'm not going to form an opinion, and then
criticize the US government, weev, or AT&T, without seeing the other side.

~~~
monochromatic
Good call. [http://arstechnica.com/apple/2011/01/goatse-security-
trolls-...](http://arstechnica.com/apple/2011/01/goatse-security-trolls-were-
after-max-lols-in-att-ipad-hack/)

~~~
DoubleMalt
Ars Technica lost a lot of respect with me yesterday when they stated in the
analysis of Mega's security that symmetric encryption is inherently less safe
than asymmetric.

Also the quoted article does not appear to show considerable insight on
internet security.

Sheer directory traversal should never be considered a criminal act.

Of course if they had followed through with the stock manipulation, this would
warrant criminal punishment.

Although of course stock manipulation is only punishable if you're not a bank
or hedgefund which is sad.

~~~
lawnchair_larry
In the actual chat logs (which Ars ignores), another chatter brings up
shorting the stock, weev explicitly says shorting the stock would be illegal
and that if someone wants to do that, not to involve him. Aside from the fact
that no one did it and this was obviously silly chat room banter to begin
with, weev is actually showing intent of _not_ running afoul of the law.

Later in the chat, another user says that weev should post the leaked data to
a public mailing list, and weev says no because that could potentially be
criminal.

------
sdoering
Can someone clarify something for me? As I am no American, I try to
understand, if making public the email-addresses of the iPad-owners was
anything remotely illegal (AT&T wise).

If so, why didn't weev just show law-enforcement - maybe with press present?
Why not stage it so, that it is a deal between you and a press-outlet, a live
showing of the problem, with a DA (or police/FBI, what ever) present?

I know, it only works, if the API, making personal-email-addresses public was
illegal. But if so, he would have shamed AT&T, he would have "normal" people
caring, not only the internet-bubble and he would be relatively save in terms
of legality. Or wouldn't he?

------
smsm42
Despite how similar cases of Swartz and Auernheimer seem, and despite later's
appeal to social justice and freedom causes, I must admit I still have a hard
time mustering sympathy for him. At least not even close to the sympathy I
have to Swartz. I know justice has to be blind, but I'm not in the jury, so I
have the luxury not to be. For me, the difference in approaches is striking.
On one side, we have somebody who contributed to RSS and Reddit - I am not a
big fan of Reddit, but one doesn't have do be a fan to recognize it's a major
establishment in the Internet society - and on the other side, we have what?
GNAA? I can't read minds, but to me, it just seems that while Swartz was moved
by genuine concern and willing to overstep some boundaries, for Auernheimer it
was much more about overstepping bounderies, creating mayhem and pissing
people off, and the cause came just as a convenient channel to direct his
destructive energies. That doesn't mean that I wish ill to Auernheimer - I
wish that his sentence would be light and involve as little jail time as
possible (by now realistically it looks like there would be some) - but I must
say if we want to change public opinion about overprosecuting computer crimes,
guys like Auernheimer don't exactly help the cause.

------
ericHosick
The internet was created by "hackers" and is kept running by "hackers". The
only way to make the internet more secure is through "hackers".

Government, and the laws that are drafted, will not make the internet more
secure. My general feeling is that laws against hacking will only result in a
less secure internet. This, in turn, will lead to more laws against hacking.
And so on...

------
AmVess
Pardon my language, but what the fuck happened to this country.

~~~
monochromatic
People started believing everything they come across that happens to fit in
with a narrative they've accepted.

~~~
weareconvo
What else is new?

------
efdee
"I did this because I despised people I think are unjustly wealthy and wanted
to embarass them." -- This is what makes weev "not Aaron". Aaron wanted to
further the human race, not embarass people just for the sake of it.

~~~
lessnonymous
"Different from Aaron" isn't a legal defense. This guy is an ass, but he's not
a criminal.

------
pprd
I'm sure this is common knowledge. But this is his "troll" organization -
[http://en.wikipedia.org/wiki/Gay_Nigger_Association_of_Ameri...](http://en.wikipedia.org/wiki/Gay_Nigger_Association_of_America)

------
slevin063
whatever his intention was, data was publicly available

in one way it is no different than AT&T posting all the emails in a public
webpage!

I think AT&T must be sued for poor security

------
grappler
As long as the court of public opinion is in session here, who is this guy?
What other good/bad stuff has he done, outside this case?

~~~
i386
<http://en.wikipedia.org/wiki/Weev>

