Hacker News new | comments | show | ask | jobs | submit login

Oh, man, what a missed opportunity to make the average Joe Sixpack become aware of cellphone tracking and surveillance. If the researcher had queried every single cellphone number in the United States (for as long as the API kept working) and then published the location of every cellphone in the USA, then laymen might care. When someone can query the list and see his own personal information being broadcast, they will understand. When they can look up any cellphone and pinpoint the location of their wife, husband, girlfriend, boyfriend, boss, children, or neighbor, they might get an inkling that privacy isn't such a stupid thing to worry about.

I guarantee that by next week, this whole thing will be forgotten and nothing will have changed because privacy and surveillance are too abstract for most people -- they need to see all their personal information that's being collected. I admire the researcher's integrity for exposing it the right way (reporting it to CERT and the company itself), but going full Snowden would have had so much more impact on getting better privacy-preserving laws and technology.




If the researcher had done that -- queried every cellphone and published it -- I fully expect they'd receive the same treatment from law enforcement that weev and Aaron Swartz got, if not worse


Given the enforcement served to whistleblowers, I’d be ok if they took financial benefit from leaks:

Auction leaked data to foreign intelligence or companies, then make the price known. We’ve been warned enough times. That’s the only way Americans will put a price on privacy, and fines for unsecured systems will climb through the roof, with wilful enforcement by both companies and customers. And the whistleblower gets paid, better than rotting in Russia for years.


That's a great way to end up on espionage charges.


I think Weev and AT&T us a better example.

https://en.m.wikipedia.org/wiki/Weev


I was not familiar with this case. He received a sentence of 41 months!

From wikipedia:

“noting that no circumvention of passwords had occurred and that only publicly accessible information was obtained”

My personal opinion is corporations have excessive influence over the US government.


Weevs long sentence probably has less to do with what he did, but how he behaved in court.


He did say "I hope they give me the maximum, so people will rise up and storm the docks", so they threw the book at him.


If we are going to have a flawed system, I’m glad when folks like this guy take the brunt of it.

What a nut job.

But yeah, accessing public information probably shouldn’t get you 41 Months in jail.


> What a nut job.

Agreed.

> If we are going to have a flawed system, I’m glad when folks like this guy take the brunt of it.

This is wrong on multiple levels.

1. It normalizes and makes it seem slightly more acceptable to have a flawed system;

2. This guy did not "take the brunt" of it. Plenty of other people — dangerous nut jobs and otherwise — have unjustly suffered similarly or worse at the hands of the US judicial system.

3. His conviction was later vacated and he was released.


Perhaps you misunderstood, perhaps not.

If our system fails 1/100 times, I’d rather it fail on a pool of people who include neo-Nazi trolls than, you, for instance.

I’m glad the conviction was overturned as well.


Punitive brutality (outdoor tent concentration camps, water-boarding, execution), locking up people for their beliefs, over-incarceration and “throwing away the key” mentality neither engenders reform nor a civilized society... it suggests normalization of psychopathy.


I don’t agree with any of those things.

However, I still hold a position that when a system fails, I’d rather it fail in the direction of Nazis.

But perhaps you are saying is that in a system with 1/100 failure, I might be less incentivized to fix the problem if the 1% end up being people I don’t like — that seems to be an incentive to be aware of.

I don’t think someone should go to jail for accessing public data (or for being stupid and having “neoNazi” beliefs). I’d vote for laws to correct such problems in the system.

However, as a human, when the system fails, I’d prefer it fail in the direction of Nazis.

Perhaps I have room to mature or grow in this area, I’m open to it.


You keep saying "when the system fails, I’d prefer it fail in the direction of Nazis". That statement is not much different from "When cancer strikes, I’d prefer it strike one of the Nazis."

Neither cancer nor the US judicial system's unfairness discriminate towards Nazis. Your sentiment, "when the system fails, I’d prefer it fail in the direction of Nazis", goes nowhere because when the system fails, it does not look for Nazis to fail in the direction of. There's just no connection between the two parts of your statement.


That years later the website he started would be a monetized shill and bot cesspool? ;)


We should perhaps stop using Weev as an example of an innocent victimized by overzealous prosecutors. His actual conviction was trumped-up, but he'd likely have been in prison already if all the people he harassed and abused had pressed charges instead of trying to get on with their lives.


Neither the fact that Weev is a gigantic asshole, or your conjecture about what he might have been convicted of since, retroactively erases the injustice of the DOJ's absurd prosecution of him for the AT&T 'hack' - which was imo more about AT&T's wounded pride, and unwillingness to admit that they had effectively given that customer data away.

The AT&T hack is a perfectly good example, probably the most relevant one we have, of someone doing exactly what the GP suggested. Which undoubtedly would face much the same kind of overzealous prosecution, if not much worse given the current climate.

I do agree with GP though, and wish more researchers would be a lot less polite and well-behaved with their disclosures, sow a little more chaos even. This really was a golden opportunity to have a real national impact, and to give a huge number of non-tech people an unprecedentedly effective wake-up call.


He doesn't have enough technical skill to pull off anything. The AT&T hack, a for loop in php, was beyond his technical ability and had to get someone else to do it.

Blogging about being a bad boy and pretending to be master of anonymous/the cyber aryan nation is his gimmick. He wishes he was david koresh, but he's completely harmless.


I have never seen him code, but I personally spoke with weev a number of times while he was a regular at a (in)famous SF hackerspace.

He demonstrated a thorough familiarity with ptmalloc internals, enough to correct someone else's remark about fastbins (meanwhile taking frighteningly large hits of whippets).

Additionally, he was the first person I had ever heard mention Rust.... wayyy back in 2012 (I'm embarrassed to say I thought he was talking about Racket and tried to correct him - I was 19 and thought I knew everything). He seemed to know quite a bit about the language even then.

He continued to discuss other topics arising from this with other hackers. One such conversation I remember more clearly was his exchange with another hacker (a quite skilled one by my estimation) where he seemed to speak rather cogently about the relative merits of a complete semantic tableaux and SMT solvers to determine "real ptr lifetime" (beyond just adhering to a set of idioms that enable a constraint solver to verify reference use).

So if he can't code PHP, then that's even more impressive.

As an aside - in person, he came across as very warm, funny, charming and even deliberately inclusive.

It feels strange now, but long ago, if you looked at him with the right shades on, he'd seem to give a nudge-and-a-wink that the "trolling", including his iconoclastic project of the time: the posthumous baptism of Muhammad's remains via becoming a Mormon deacon (of some sort??) were all intended to be thought-provoking irreverence rather than chaotic evil. No matter what was discussed he always gave the impression there was something more there, something almost hermetic.

In those intervening years my view of him has assumed a different proportion. Those weren't all harmless culturejamming tricks pulled off in the name of some Discordian spirit which lies somewhere behind the neocortex of the hacker mindset. At that time, and many years before then, there were pranks, tricks and trolls that were unimaginably cruel, purposeless and petty.

Since, prison has hardened him further into a wicked racist, who, lacking a better word, is insane.


He memorizes convincing technobabble. That's part of his act. It's no different than a con-man memorizing scripture to scam people.

He might know about how to pimp-out a livejournal page, but that's about it.


Weev was at one point at least somewhat technical, he reminds me a bit of Terry Davis, interesting and quirky at one point in the past but has descended into a sort of pitiful madness.

https://www.youtube.com/watch?v=BsTGQbhuL0E


Terry Davis has real technical chops and has written more code for his 'temple' than most people will write in their entire lives. He is God's programmer after all.

Weev just talks a good game.


How are you qualified to make this claim? According to Andrew Anglin, he actually runs the infrastructure for The Daily Stormer[0] so he must have some level of technical competence.

[0] - https://www.theatlantic.com/magazine/archive/2017/12/the-mak...


I knew him for years.

I'd hope after years of Mr Robot larping he figured out how to install a CMS.


> I knew him for years.

Any proof?

You're one person making claims that run counter to everything published about the man.


Any proof of his technical genius?


I never claimed he was a genius. You, on the other hand, are making claims that he is a fraud. Proof would be nice.


Link me to a single line of code he wrote or project he worked on. He's a fraud.


God forbid someone doesn't have an open source project, they must be a fraud!


scrape and publish the data over TOR. problem solved.


Joe Sixpack won’t browse it then


You can share a Tor website with people who don't have the Tor Browser installed by adding ".to" after ".onion"

https://www.tor2web.org


That one won't be up long, I mean all it takes is a link to that site to an onion site with some child porn or whatever.


tor2web has been around for a decade now.


haha, oh they would when countless major news orgs carry the story!


publish as in, send an email to major news publications


Published as in make available on the web.


Well sure; so just tip off a foreign national who already lives in Russia or whatever, and they can do it. Unlike an NSA leak, you don’t need physical access to places only US citizens can be in to touch this data; you just need an internet connection.


> so just tip off a foreign national who already lives in Russia or whatever, and they can do it.

That's ends up being conspiracy to commit the crime, which hits you just about as hard as the crime itself. You better be _very_ confident that the FBI/NSA won't be able to intercept your communications or tie you to the foreign national who commits the crime.


Or... just be a foreign national who discovers this in the first place?


You're literally suggesting that a researcher should go to Russia so that they can exploit the vulnerability before disclosing it to the people of the United States. I have a feeling that wouldn't fly well in court.


Errr, no... I meant that there would be effectively no consequences if, instead of a US-born security researcher discovering this, a Russian-born Russian-citizen security researcher discovered this. It's a counterfactual, not a suggestion.

A suggestion would be: if you want to research vulnerabilities without the possibility of prosecution, why not research other countries' companies' vulnerabilities, where those countries have no treaty criminal-deportation agreement with your home country? Such companies can still pay you if they appreciate what you've done, but they can't sue you if they don't; and even complaining to their government about what you've done won't really amount to anything in the end.

This, I think, solves the problem, at the cost of raising two other problems:

• Your own government might not appreciate you improving the security of [essential industries of] its enemies;

• the foreign government might interpret the vulnerability research as an act of cyberwar (much like, say, flying your own drones over a foreign military installation as a private citizen would be interpreted as an act of regular war), and your own government might have to trump up some domestic charge to pin on you in order to appease them.

The first factor is more important in time of war (you might be branded a collaborator!); while the second is more important in time of peace (you might be branded an instigator!) So there's probably very few "exactly right" times to do this where you'd likely get away with doing it scot-free.


Whoosh? It's pretty obvious who derefr is talking about.

EDIT: I can't tell if you're being sarcastic or not


Apparently this is going over my head. Who is derefr talking about?


WannaCry


Or he probably meant sending an anonymous tip, if that is even possible..


Punching someone in the face to get them to appreciate the risk they are running of being punched in the face is not ok.

I appreciate the sentiment here but no. I'm going to show you how easily you can be robbed with poor locks by robbing you is a crime. Infringing everyone's privacy to show it is possible is infringing everyone's privacy.

You can't claim to infringe privacy because you understand why it's so bad to infringe privacy any more than you can mug people to show them how bad it is being mugged.


If people are already being punched in the face in secret, 24/7, doing it ONE time with their knowledge to open their minds to their reality sounds pretty good to me.


I’d be happy with a compromise: collect everyone’s location but instead of displaying it after submitting the number send it to them as a text.


Those are terrible analogies. Their privacy is already being infringed and it's just making people aware of it.


If the researcher did that they would have gotten prosecuted by the FBI. Probably a better solution was to track every major journalist, tip them that you know their location and then give them scoop so you would have major press coverage for a few days in all papers.


Remember FireSheep (https://codebutler.com/firesheep)? No one cared about HTTPS for years. Then one simple app and the entire industry woke up.


The collateral damage would be considerable. How many victims of partner violence tracked to their new home and attacked would be too many to make it "worth it"? And why should a security researcher be the one to make such a decision?


I honestly doubt is, or did you forget about Equifax? Someone did have millions of records for everyone's credit history including birthdays and past addresses.

If this has been a black hat leak where someone was caught selling 300 million peoples' location data, it would have made a bigger story yes, but it would be in the same bucket as Equifax right now (and to an extent, Snowden as well).


>Someone did have millions of records for everyone's credit history including birthdays and past addresses.

The point is to make it public. Not claim its out there somewhere. The ability to go in and see your data just sitting there in the public is what makes it 'real' to people that don't think they care about privacy.


The fact that this equifax data hasn't surfaced yet makes me think it may have been collected by state actors and being kept for more nefarious purposes than selling it piece meal on the dark web.

Imagine the chaos caused by a distributed, automated, nationwide creation of fraudulent accounts and debts being created.

It would bring the financial system to a halt until the fraudulent transactions could be identified and filtered out.


You're absolutely right. It's too bad this opportunity was missed. Comparing such an act to weev or aaronsw (RIP) is not unreasonable, but aren't we all ready to make such a sacrifice?

We need to be.


Came to HN for tech tips. Stayed for self-sacrifice in the name of social progress.


That Snowden name drop isn't really appropriate. Edward Snowden has always been extremely responsible with his leaks, the exact opposite of what you're suggesting (dump everything no matter the privacy implications).


Would you go around testing the locks on everyone’s front door? Being behind a computer screen doesn’t make what you suggest any different.


This is more like the lock was already tested and somebody posted the information on a suburban street corner complete with GPS information.


It's not like that at all. Here, you are actually opening the door and looking at what's behind it. Over and over again, knowing it's prohibited, for the purpose of getting data you know you're not supposed to have access to.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: