Hacker News new | comments | show | ask | jobs | submit login

If the researcher had done that -- queried every cellphone and published it -- I fully expect they'd receive the same treatment from law enforcement that weev and Aaron Swartz got, if not worse

Given the enforcement served to whistleblowers, I’d be ok if they took financial benefit from leaks:

Auction leaked data to foreign intelligence or companies, then make the price known. We’ve been warned enough times. That’s the only way Americans will put a price on privacy, and fines for unsecured systems will climb through the roof, with wilful enforcement by both companies and customers. And the whistleblower gets paid, better than rotting in Russia for years.

That's a great way to end up on espionage charges.

I think Weev and AT&T us a better example.


I was not familiar with this case. He received a sentence of 41 months!

From wikipedia:

“noting that no circumvention of passwords had occurred and that only publicly accessible information was obtained”

My personal opinion is corporations have excessive influence over the US government.

Weevs long sentence probably has less to do with what he did, but how he behaved in court.

He did say "I hope they give me the maximum, so people will rise up and storm the docks", so they threw the book at him.

If we are going to have a flawed system, I’m glad when folks like this guy take the brunt of it.

What a nut job.

But yeah, accessing public information probably shouldn’t get you 41 Months in jail.

> What a nut job.


> If we are going to have a flawed system, I’m glad when folks like this guy take the brunt of it.

This is wrong on multiple levels.

1. It normalizes and makes it seem slightly more acceptable to have a flawed system;

2. This guy did not "take the brunt" of it. Plenty of other people — dangerous nut jobs and otherwise — have unjustly suffered similarly or worse at the hands of the US judicial system.

3. His conviction was later vacated and he was released.

Perhaps you misunderstood, perhaps not.

If our system fails 1/100 times, I’d rather it fail on a pool of people who include neo-Nazi trolls than, you, for instance.

I’m glad the conviction was overturned as well.

Punitive brutality (outdoor tent concentration camps, water-boarding, execution), locking up people for their beliefs, over-incarceration and “throwing away the key” mentality neither engenders reform nor a civilized society... it suggests normalization of psychopathy.

I don’t agree with any of those things.

However, I still hold a position that when a system fails, I’d rather it fail in the direction of Nazis.

But perhaps you are saying is that in a system with 1/100 failure, I might be less incentivized to fix the problem if the 1% end up being people I don’t like — that seems to be an incentive to be aware of.

I don’t think someone should go to jail for accessing public data (or for being stupid and having “neoNazi” beliefs). I’d vote for laws to correct such problems in the system.

However, as a human, when the system fails, I’d prefer it fail in the direction of Nazis.

Perhaps I have room to mature or grow in this area, I’m open to it.

You keep saying "when the system fails, I’d prefer it fail in the direction of Nazis". That statement is not much different from "When cancer strikes, I’d prefer it strike one of the Nazis."

Neither cancer nor the US judicial system's unfairness discriminate towards Nazis. Your sentiment, "when the system fails, I’d prefer it fail in the direction of Nazis", goes nowhere because when the system fails, it does not look for Nazis to fail in the direction of. There's just no connection between the two parts of your statement.

That years later the website he started would be a monetized shill and bot cesspool? ;)

We should perhaps stop using Weev as an example of an innocent victimized by overzealous prosecutors. His actual conviction was trumped-up, but he'd likely have been in prison already if all the people he harassed and abused had pressed charges instead of trying to get on with their lives.

Neither the fact that Weev is a gigantic asshole, or your conjecture about what he might have been convicted of since, retroactively erases the injustice of the DOJ's absurd prosecution of him for the AT&T 'hack' - which was imo more about AT&T's wounded pride, and unwillingness to admit that they had effectively given that customer data away.

The AT&T hack is a perfectly good example, probably the most relevant one we have, of someone doing exactly what the GP suggested. Which undoubtedly would face much the same kind of overzealous prosecution, if not much worse given the current climate.

I do agree with GP though, and wish more researchers would be a lot less polite and well-behaved with their disclosures, sow a little more chaos even. This really was a golden opportunity to have a real national impact, and to give a huge number of non-tech people an unprecedentedly effective wake-up call.

He doesn't have enough technical skill to pull off anything. The AT&T hack, a for loop in php, was beyond his technical ability and had to get someone else to do it.

Blogging about being a bad boy and pretending to be master of anonymous/the cyber aryan nation is his gimmick. He wishes he was david koresh, but he's completely harmless.

I have never seen him code, but I personally spoke with weev a number of times while he was a regular at a (in)famous SF hackerspace.

He demonstrated a thorough familiarity with ptmalloc internals, enough to correct someone else's remark about fastbins (meanwhile taking frighteningly large hits of whippets).

Additionally, he was the first person I had ever heard mention Rust.... wayyy back in 2012 (I'm embarrassed to say I thought he was talking about Racket and tried to correct him - I was 19 and thought I knew everything). He seemed to know quite a bit about the language even then.

He continued to discuss other topics arising from this with other hackers. One such conversation I remember more clearly was his exchange with another hacker (a quite skilled one by my estimation) where he seemed to speak rather cogently about the relative merits of a complete semantic tableaux and SMT solvers to determine "real ptr lifetime" (beyond just adhering to a set of idioms that enable a constraint solver to verify reference use).

So if he can't code PHP, then that's even more impressive.

As an aside - in person, he came across as very warm, funny, charming and even deliberately inclusive.

It feels strange now, but long ago, if you looked at him with the right shades on, he'd seem to give a nudge-and-a-wink that the "trolling", including his iconoclastic project of the time: the posthumous baptism of Muhammad's remains via becoming a Mormon deacon (of some sort??) were all intended to be thought-provoking irreverence rather than chaotic evil. No matter what was discussed he always gave the impression there was something more there, something almost hermetic.

In those intervening years my view of him has assumed a different proportion. Those weren't all harmless culturejamming tricks pulled off in the name of some Discordian spirit which lies somewhere behind the neocortex of the hacker mindset. At that time, and many years before then, there were pranks, tricks and trolls that were unimaginably cruel, purposeless and petty.

Since, prison has hardened him further into a wicked racist, who, lacking a better word, is insane.

He memorizes convincing technobabble. That's part of his act. It's no different than a con-man memorizing scripture to scam people.

He might know about how to pimp-out a livejournal page, but that's about it.

Weev was at one point at least somewhat technical, he reminds me a bit of Terry Davis, interesting and quirky at one point in the past but has descended into a sort of pitiful madness.


Terry Davis has real technical chops and has written more code for his 'temple' than most people will write in their entire lives. He is God's programmer after all.

Weev just talks a good game.

How are you qualified to make this claim? According to Andrew Anglin, he actually runs the infrastructure for The Daily Stormer[0] so he must have some level of technical competence.

[0] - https://www.theatlantic.com/magazine/archive/2017/12/the-mak...

I knew him for years.

I'd hope after years of Mr Robot larping he figured out how to install a CMS.

> I knew him for years.

Any proof?

You're one person making claims that run counter to everything published about the man.

Any proof of his technical genius?

I never claimed he was a genius. You, on the other hand, are making claims that he is a fraud. Proof would be nice.

Link me to a single line of code he wrote or project he worked on. He's a fraud.

God forbid someone doesn't have an open source project, they must be a fraud!

scrape and publish the data over TOR. problem solved.

Joe Sixpack won’t browse it then

You can share a Tor website with people who don't have the Tor Browser installed by adding ".to" after ".onion"


That one won't be up long, I mean all it takes is a link to that site to an onion site with some child porn or whatever.

tor2web has been around for a decade now.

haha, oh they would when countless major news orgs carry the story!

publish as in, send an email to major news publications

Published as in make available on the web.

Well sure; so just tip off a foreign national who already lives in Russia or whatever, and they can do it. Unlike an NSA leak, you don’t need physical access to places only US citizens can be in to touch this data; you just need an internet connection.

> so just tip off a foreign national who already lives in Russia or whatever, and they can do it.

That's ends up being conspiracy to commit the crime, which hits you just about as hard as the crime itself. You better be _very_ confident that the FBI/NSA won't be able to intercept your communications or tie you to the foreign national who commits the crime.

Or... just be a foreign national who discovers this in the first place?

You're literally suggesting that a researcher should go to Russia so that they can exploit the vulnerability before disclosing it to the people of the United States. I have a feeling that wouldn't fly well in court.

Errr, no... I meant that there would be effectively no consequences if, instead of a US-born security researcher discovering this, a Russian-born Russian-citizen security researcher discovered this. It's a counterfactual, not a suggestion.

A suggestion would be: if you want to research vulnerabilities without the possibility of prosecution, why not research other countries' companies' vulnerabilities, where those countries have no treaty criminal-deportation agreement with your home country? Such companies can still pay you if they appreciate what you've done, but they can't sue you if they don't; and even complaining to their government about what you've done won't really amount to anything in the end.

This, I think, solves the problem, at the cost of raising two other problems:

• Your own government might not appreciate you improving the security of [essential industries of] its enemies;

• the foreign government might interpret the vulnerability research as an act of cyberwar (much like, say, flying your own drones over a foreign military installation as a private citizen would be interpreted as an act of regular war), and your own government might have to trump up some domestic charge to pin on you in order to appease them.

The first factor is more important in time of war (you might be branded a collaborator!); while the second is more important in time of peace (you might be branded an instigator!) So there's probably very few "exactly right" times to do this where you'd likely get away with doing it scot-free.

Whoosh? It's pretty obvious who derefr is talking about.

EDIT: I can't tell if you're being sarcastic or not

Apparently this is going over my head. Who is derefr talking about?


Or he probably meant sending an anonymous tip, if that is even possible..

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact