I guarantee that by next week, this whole thing will be forgotten and nothing will have changed because privacy and surveillance are too abstract for most people -- they need to see all their personal information that's being collected. I admire the researcher's integrity for exposing it the right way (reporting it to CERT and the company itself), but going full Snowden would have had so much more impact on getting better privacy-preserving laws and technology.
Auction leaked data to foreign intelligence or companies, then make the price known. We’ve been warned enough times. That’s the only way Americans will put a price on privacy, and fines for unsecured systems will climb through the roof, with wilful enforcement by both companies and customers. And the whistleblower gets paid, better than rotting in Russia for years.
“noting that no circumvention of passwords had occurred and that only publicly accessible information was obtained”
My personal opinion is corporations have excessive influence over the US government.
What a nut job.
But yeah, accessing public information probably shouldn’t get you 41 Months in jail.
> If we are going to have a flawed system, I’m glad when folks like this guy take the brunt of it.
This is wrong on multiple levels.
1. It normalizes and makes it seem slightly more acceptable to have a flawed system;
2. This guy did not "take the brunt" of it. Plenty of other people — dangerous nut jobs and otherwise — have unjustly suffered similarly or worse at the hands of the US judicial system.
3. His conviction was later vacated and he was released.
If our system fails 1/100 times, I’d rather it fail on a pool of people who include neo-Nazi trolls than, you, for instance.
I’m glad the conviction was overturned as well.
However, I still hold a position that when a system fails, I’d rather it fail in the direction of Nazis.
But perhaps you are saying is that in a system with 1/100 failure, I might be less incentivized to fix the problem if the 1% end up being people I don’t like — that seems to be an incentive to be aware of.
I don’t think someone should go to jail for accessing public data (or for being stupid and having “neoNazi” beliefs). I’d vote for laws to correct such problems in the system.
However, as a human, when the system fails, I’d prefer it fail in the direction of Nazis.
Perhaps I have room to mature or grow in this area, I’m open to it.
Neither cancer nor the US judicial system's unfairness discriminate towards Nazis. Your sentiment, "when the system fails, I’d prefer it fail in the direction of Nazis", goes nowhere because when the system fails, it does not look for Nazis to fail in the direction of. There's just no connection between the two parts of your statement.
The AT&T hack is a perfectly good example, probably the most relevant one we have, of someone doing exactly what the GP suggested. Which undoubtedly would face much the same kind of overzealous prosecution, if not much worse given the current climate.
I do agree with GP though, and wish more researchers would be a lot less polite and well-behaved with their disclosures, sow a little more chaos even. This really was a golden opportunity to have a real national impact, and to give a huge number of non-tech people an unprecedentedly effective wake-up call.
Blogging about being a bad boy and pretending to be master of anonymous/the cyber aryan nation is his gimmick. He wishes he was david koresh, but he's completely harmless.
He demonstrated a thorough familiarity with ptmalloc internals, enough to correct someone else's remark about fastbins (meanwhile taking frighteningly large hits of whippets).
Additionally, he was the first person I had ever heard mention Rust.... wayyy back in 2012 (I'm embarrassed to say I thought he was talking about Racket and tried to correct him - I was 19 and thought I knew everything). He seemed to know quite a bit about the language even then.
He continued to discuss other topics arising from this with other hackers. One such conversation I remember more clearly was his exchange with another hacker (a quite skilled one by my estimation) where he seemed to speak rather cogently about the relative merits of a complete semantic tableaux and SMT solvers to determine "real ptr lifetime" (beyond just adhering to a set of idioms that enable a constraint solver to verify reference use).
So if he can't code PHP, then that's even more impressive.
As an aside - in person, he came across as very warm, funny, charming and even deliberately inclusive.
It feels strange now, but long ago, if you looked at him with the right shades on, he'd seem to give a nudge-and-a-wink that the "trolling", including his iconoclastic project of the time: the posthumous baptism of Muhammad's remains via becoming a Mormon deacon (of some sort??) were all intended to be thought-provoking irreverence rather than chaotic evil. No matter what was discussed he always gave the impression there was something more there, something almost hermetic.
In those intervening years my view of him has assumed a different proportion. Those weren't all harmless culturejamming tricks pulled off in the name of some Discordian spirit which lies somewhere behind the neocortex of the hacker mindset. At that time, and many years before then, there were pranks, tricks and trolls that were unimaginably cruel, purposeless and petty.
Since, prison has hardened him further into a wicked racist, who, lacking a better word, is insane.
He might know about how to pimp-out a livejournal page, but that's about it.
Weev just talks a good game.
 - https://www.theatlantic.com/magazine/archive/2017/12/the-mak...
I'd hope after years of Mr Robot larping he figured out how to install a CMS.
You're one person making claims that run counter to everything published about the man.
That's ends up being conspiracy to commit the crime, which hits you just about as hard as the crime itself. You better be _very_ confident that the FBI/NSA won't be able to intercept your communications or tie you to the foreign national who commits the crime.
A suggestion would be: if you want to research vulnerabilities without the possibility of prosecution, why not research other countries' companies' vulnerabilities, where those countries have no treaty criminal-deportation agreement with your home country? Such companies can still pay you if they appreciate what you've done, but they can't sue you if they don't; and even complaining to their government about what you've done won't really amount to anything in the end.
This, I think, solves the problem, at the cost of raising two other problems:
• Your own government might not appreciate you improving the security of [essential industries of] its enemies;
• the foreign government might interpret the vulnerability research as an act of cyberwar (much like, say, flying your own drones over a foreign military installation as a private citizen would be interpreted as an act of regular war), and your own government might have to trump up some domestic charge to pin on you in order to appease them.
The first factor is more important in time of war (you might be branded a collaborator!); while the second is more important in time of peace (you might be branded an instigator!) So there's probably very few "exactly right" times to do this where you'd likely get away with doing it scot-free.
EDIT: I can't tell if you're being sarcastic or not
I appreciate the sentiment here but no. I'm going to show you how easily you can be robbed with poor locks by robbing you is a crime. Infringing everyone's privacy to show it is possible is infringing everyone's privacy.
You can't claim to infringe privacy because you understand why it's so bad to infringe privacy any more than you can mug people to show them how bad it is being mugged.
If this has been a black hat leak where someone was caught selling 300 million peoples' location data, it would have made a bigger story yes, but it would be in the same bucket as Equifax right now (and to an extent, Snowden as well).
The point is to make it public. Not claim its out there somewhere. The ability to go in and see your data just sitting there in the public is what makes it 'real' to people that don't think they care about privacy.
Imagine the chaos caused by a distributed, automated, nationwide creation of fraudulent accounts and debts being created.
It would bring the financial system to a halt until the fraudulent transactions could be identified and filtered out.
We need to be.