Thanks to weev and his associates, my business partner, many of my volunteers, some family members of the above, and everybody who weev and his "trolls" could reach were subjected to a months-long campaign of constant harassement.
* One volunteer had to interview with Child Protective Services and the police because of false complaints made by weev and his friends.
* Another volunteer had trouble at her university because they tracked down her professors and made false claims.
* Our business faced several Denial of Service attacks and false complaints to our merchant processors and hosting providers.
* Harassing voicemails, phone calls, emails, IMs, IRC messages, etc etc etc.
The list of things that weev and the so-called Gay Niggers Association of America (http://en.wikipedia.org/wiki/Gay_Nigger_Association_of_Ameri...) did to us is pretty long. It's sad, really.
In the end, it stopped when (I can only assume) he got bored. We developed a strong relationship with our hosting provider, our new payment processor, and we did as much as we could to help people who were put in bad situations because of weev's actions. Ultimately, we lost some volunteers and bled money for 3 months, but we survived.
So, weev has a good enough story to get his "confession" in TechCrunch and on Twitter and people think that he's another example of the over-broad reach of law and the destruction of young lives by powerful corporations/organizations.
Maybe it is.
But if you value the legacy of Aaron Swartz, do not for one minute confuse him and Andrew Auernheimer. One was a man driven by a vision who helped defeat SOPA and did many other good and noble things, the other is a self-described troll who spent years of his life doing his best to extract "lulz" from the pain and suffering of his fellow human beings.
All that doesn't make accessing a sequence of URLs, joking about selling the resulting personal data, giving it to a journalist to expose the flaw and then deleting the data worthy of a long prison sentence (if any at all). If this offence gets a large penalty what room is there for someone who does sell the data from such a break for profit? There is also the risk that it sets a norm for this offence and the next person being threatened by a prosecutor hears about how this guy got 10 years for just crawling a sequence of URLs.
My conclusion is that it is OK to hate this guy, think he deserves a long spell in prison but not to want this action to lead to a long sentence.
But incrementing a number at the end of a URL should be legal even if Hitler is doing it, plain and simple.
The problem is not that "he incremented a number, get the sheriff" but "he incremented a number to get access to information which he that maliciously used".
Had he actually tried to sell the personal data OR actually shorted AT&T shares that would be very different from my point of view and be worthy of actual punishment but my understanding is that didn't happen. Given it didn't happen it should be up the prosecution to prove that he wasn't joking for that to be used as intent.
I'm a little uneasy about the idea of not prosecuting him at all though as the flaw could have been exposed by collecting a sample of the data to see the extent of it without collecting it all but I would be equally open to prosecuting AT&T for not securing customer data appropriately (I would have no problem with prosecuting both - the victims are the customers whose data was exposed by AT&T).
I'm assuming here that the following two press accounts are not grossly misrepresenting the facts:
Here at least you have clearly stated malicious intent, which may or may not have been serious, in jest or otherwise, but clearly the potential harm in Andrew Auernheimer's case is real, so much so that they 'joked' about shorting ATT stock before they released the data.
They were facing potentially only 10 years each max, compared to Aaron's 50.
To me, the disproportionate charges in the two cases is the most galling thing and should serve to highlight how out of control the prosecutors were in the Swartz case. 10 years may even disproportionate in Auernheimer's case as well, but at the moment I'm quite unsympathetic given what I've read.
I say all of that fully ready for the inevitable "HN Turnaround" when more facts and POVs are brought to bear and I change my mind on this. But at the moment I see very little in common between two self-aggrandizing lulzing jokers and Aaron Swartz.
But here's the thing. Screw Auernheimer. Forget about him. He's a jerk, nobody is going to be motivated to fix anything to help someone like that. He opens his mouth and stupid comes out and it makes otherwise helpful people dislike him.
And we need to fix the laws. For everyone. Not even these idiots deserve to be felons. But I agree that we shouldn't be touting them as examples, because they probably smell funny and it would be a great shame for the stench to rub off.
The idiot kids who sneak into a factory to see what there is to see are criminals. Should they be felons? No, but under the CFAA, simply breaching a digital boundary is a misdemeanor. It's only when it is in the furtherance of another criminal act that it is potentially punishable as a felony.
In this case, that last bit is predicated on a NJ statute which requires: "defendant `knowingly or recklessly discloses or causes to be disclosed any data . . . or personal identifying information.’"
If the jury finds he didn't disclose or cause to be disclosed any personal information, the NJ statute won't have been violated, and the CFAA charge will reduce to a misdemeanor.
 I should point out that I'm not a fan of such "escalation" provisions.
I don't know if that's the right analogy. That's part of the problem: I think legutierr is on to something with the issue that every time we talk about the CFAA we try to come up with strained analogies, because we can't conceptualize why the specific thing that someone did to a computer is wrong. Why is this like sneaking into a factory and not like reading a list of their other customers' email addresses that AT&T has mistakenly printed on the back of everyone's billing statement?
I still think the whole notion of "unauthorized access" is the wrong way to go. If someone breaks into your computer and intentionally deletes your data, vandalism. If they take credit card numbers and use or sell them, identity theft. So on and so forth. If all they do is fiddle with a URL or prove to you that your security is not what you thought it was without damaging anything or committing any other crime, why does that have to be a crime in itself? It seems like all that does is chill the propensity for security experts to point out vulnerabilities when they see them, for fear that embarrassing the system's operator will result in retaliatory pressing of charges, and give prosecutors a catch all to charge people with when they can't make a case based on anything else.
This is almost a case in point. These defendants are royal jerks. They're sitting around contemplating everything from blackmail to securities fraud, but in this specific case it doesn't seem like they've actually done anything like that, just talked about it like pompous idiots. So they get charged with the CFAA, because it catches almost everybody whether they've really done anything or not, even though from what I can tell all they actually did was publicize that AT&T's poor security was putting AT&T's customers' personal information at risk. I don't know how convinced I am that the fact that they did it in a stupid and immature way should send them to jail.
Because it requires intentional effort to find information that is intended to be private. It requires you to "walk through the door." The digital equivalent of your scenario is if AT&T accidentally e-mailed their customer list to everyone along with their e-bills.
> I still think the whole notion of "unauthorized access" is the wrong way to go. If someone breaks into your computer and intentionally deletes your data, vandalism. If they take credit card numbers and use or sell them, identity theft. So on and so forth. If all they do is fiddle with a URL or prove to you that your security is not what you thought it was without damaging anything or committing any other crime, why does that have to be a crime in itself?
I disagree. I don't think the digital world should be treated any differently than the real world. In the real world, we enforce boundaries in their own right, with minimal penalties unless it is accompanied by another crime. We do so to discourage people from poking around where they shouldn't, because such poking around is highly correlated with actual crime. Allowing people to poke around freely makes enforcement hard. Everyone who actually did something wrong is going to claim "oh I was just poking around." This rationale translates just fine into the digital world.
> It seems like all that does is chill the propensity for security experts to point out vulnerabilities when they see them
Why can't security researchers get consent from their subjects to do experiments on them, like every other kind of researcher? Should my doctor be allowed to test his pet theories on me while treating unrelated conditions, on a "no harm no foul" basis?
The idea that security researchers are or even should be free to poke at random websites for vulnerabilities so they can "inform the public" is a myth. It's a meme that's seen most of its spread over the last few years. A couple years ago, most professional researchers would warn you not to test public web applications for flaws. People have gotten into serious legal trouble for doing that.
The C.W. on this has obviously changed. But I don't think the law has!
The best web application shops post pages, like 37signals, or Github, or Google, inviting researchers and instructing them how to report their findings. If you're concerned that you might be using an application that would sue or press charges for someone conducting unauthorized security tests, just stick to the ones that have security pages.
The web applications that don't post pages like this? Don't poke them. It's illegal and (you'd know better than me, Rayiner) probably a tort, which means you can get sued for it right through your corporate liability protection.
There is no door though. The digital equivalent of your scenario is Tron.
An intentionally publicly accessible computer doesn't have well-defined boundaries. The line between authorized and unauthorized is very fuzzy, which is not a good feature in criminal law. Especially where defendants are characteristically individuals without the resources to defend their interpretation of the law in court.
>We do so to discourage people from poking around where they shouldn't, because such poking around is highly correlated with actual crime.
That seems like a self-fulfilling prophecy. If you criminalize poking around then only criminals will poke around. There are also much better reasons for prohibiting it in physical space than on the internet. Industrial equipment can be dangerous and cause massive property damage or personal injury if you mess with it. Invading someone's home impacts their physical security. These are rarely if ever the case with computers. Servers are (or should be) backed up, so even where there is highly valuable data, the extent of destruction someone can accidentally cause is limited to the cost of restoring backups, and reckless or intentional damage would continue to be illegal.
Harmless poking around also has the benefit of revealing vulnerabilities before they get revealed through malicious poking around. A kid who sneaks through your literal open window and starts nosing around in your house is not pointing out a critical security vulnerability; you know that your window is open. There is no benefit to the homeowner, the kid is just a pest. But computers have higher security requirements: The equivalent of an open window is a major failing in need of immediate attention, because if a kid can get in then so can foreign criminal syndicates, and if they get in they'll be doing more than poking around.
>Allowing people to poke around freely makes enforcement hard. Everyone who actually did something wrong is going to claim "oh I was just poking around."
Won't the fact that they actually did something wrong give lie to that claim? The ones who are actually doing something wrong will be found making charges to purloined credit card numbers or modifying shipping information in databases or the like. I suppose you may catch someone in the act before they have an opportunity to do any such thing, but if you have someone who is really trying to do wrong, isn't it better to extend the investigation so as to be able to charge them with the serious crime they actually intended than to roll them up right away on a minor offense?
>Why can't security researchers get consent from their subjects to do experiments on them, like every other kind of researcher?
Discovering vulnerabilities in production servers is not really research, it's more like being a plumber or a firefighter. There may be professionals who are paid to do it, but if you see water leaking or smell smoke, taking a moment to do some cursory looking around to see if there is a serious underlying problem should be just part of being a good citizen.
As for asking permission, the trouble is that the transaction cost consumes the transaction. If someone goes to a website and notices that the URL has a 'userid=1157' appended to it, the natural thing to do is to try putting in 'userid=1158' and see what happens, because the two most overwhelmingly likely things are either for it to produce an access denied error and be harmless, or to log you in as a different user and be harmless as long as you don't further abuse that fact. And 99 times out of 100 it will be the first one. Which is why requiring permission breaks the propensity for good people to help out: If the expectation is for people to ask permission before doing something like that, the website operator is going to have anyone who notices that asking about it, and if it isn't broken then it gets annoying, which annoyance is conveyed to the people asking about it so that in the future they stop asking and stop helping. Which is I think what we see: Security people mostly don't poke websites because the law prohibits it, so security flaws don't get identified until the bad guys identify them.
I would also distinguish this from doing something like SQL injection or exploiting a buffer overflow, which can reasonably be expected to cause a denial of service or data corruption. In those cases there could be a charge for something like reckless disregard for damaging a computer system as opposed to purely for unauthorized access.
Not true. Just because you may have to rely on a public defender doesn't mean your legal theory would have legs with a better lawyer.
A kid who sneaks through your literal open window and starts nosing around in your house is not pointing out a critical security vulnerability; you know that your window is open. There is no benefit to the homeowner, the kid is just a pest. But computers have higher security requirements: The equivalent of an open window is a major failing in need of immediate attention, because if a kid can get in then so can foreign criminal syndicates, and if they get in they'll be doing more than poking around.
That's true as a pragmatic matter, but it is not your decision to make about other people's systems. I can think of cases where an open window is a critical security vulnerability; kids can fall out of them, medical or legal papers may be accessible to third parties and put the subject of those papers in jeopardy and so on. But that doesn't entitle me to climb through the window in order to demonstrate or draw the homeowner's or business operator's attention to the risks of the open window.
While it's quite true that AT&T was doing its customers a disservice here, and I have no problem with people observing and commenting upon that fact, it's their computer system, not yours. You don't have a right to poke around there just because you have the know-how to build/operate a more secure system. I doubt you would appreciate a private security company representative turning up in your living room to harangue you about your open window. You would rightly tell him that a) it's not his business and b) if he wants to help, ring the fucking doorbell first, rather than publishing an directory of what's inside your house.
In other words, if it's possible that legal reform designed to prevent cases like Aaron's from occuring again, could also let bad actors like Auernheimer off the hook, that could undermine support for the reform.
As far as whether Auernheimer is a felon, I still don't know. It's one thing to find a vulnerability, it's another thing entirely to not only not report it, but exploit it and openly discuss how to use the results to cause significant material harm.
Reported actions of Auernheimer in the AT&T case:
- Did not report the vulnerability but sat on it and refined a script to exploit the data and debated how and who in the press to report the vulnerability to in order to inflict the most economic damage.
- Harvested over 114k emails.
Alleged quotes of Auernheimer:
- "I don't see the point unless we phish for passes even then that's boring"
- "[A]t this point we won. we dropepd [sic] the stock price," Auernheimer wrote. "[L]et's not like do anything else we fking win and i get to like spin us as a legitimate security organization."
Very, very hard to be sympathetic here. He exploited a vulnerability, stole information and discussed at length how to use it to inflict damage. Weigh into that his past malicious behavior, and I wonder if he's not getting off easy.
Comparing Weev to Aaron is like comparing the dali lama to hitler. Weev is actively cultivating this comparison. DO NOT FEED THE FUCKING TROLL.
Prosecutorial bullying and overreach is bad whoever it is done to (even if they are an Ass/Hitler).
Do you want 10 years to be the normal sentence (or even the prosecutors threat) for crawling URLs and reporting the privacy breaching results to the news media?
In my view some of the behaviour in the story that you linked to is MORE criminal than the actions against AT&T. If evidence can be found for that I would be fully in favour of that prosecution but the he's done all these horrible things that we can't prove so lets trump up a minor issue we can prove concept doesn't feel like a secure route to freedom and justice for anybody. If the linked information could all be proved in court to be Weev I would be happy for him to get 1-2 years in prison for harassment or longer if it is a pattern of behaviour against other people too but for the AT&T "hack" anything over a month or two would seem excessive to me.
This is such a sanitized version. I'm open to being corrected here, but afaik the 'crawling' in question was done by a script written and refined for the expressed purpose of harvesting data, with intent to cause material economic harm to AT&T, which they did. They sat on the vulnerability for days while discussing at length how to perform the 'report' in such a way as to cause the most negative effect.
They knew full well what they were doing was illegal and were afraid of being caught and discussed it.
Let's state it again in a less-sanitized fashion: They found a vulnerability, did not report it, exploited the vulnerability and stole data with the stated intent to cause material harm and/or sell said data, and actually brought about said economic harm.
People defending weev are making it sound like some guy tweaked a value in his browser url bar, ran to AT&T and said 'look what I found', and had his home promptly raided. Hence the ridiculous top comment on slashdot, "America has lost its fucking mind."
Let us not, as the hacker community, lose ours over this. What weev did was malicious and illegal and harmful and if we appear to defend him I'm afraid we undermine the cause of Aaron's case and the possibility of curtailing real prosecutorial aggresion. I really don't think it was the case at all with weev.
Legally in the US there seems to be very little protection for privacy (unlike copyright) whereas in the UK Sony has just been fined £250K for failing to adequately secure personal data (PSN hack).
Should this person have collected more than 100K email addresses? - NO.
Should they have blown the whistle or reported it straight away? - YES
Were they criminal? Probably just about.
Does what they joked about matter? No unless they actually tried to do it.
Does the fact that they wanted to harm AT&T matter? Not much for me, AT&T harmed themselves and while discoverers of the flaw could mitigate AT&T's harm and these guys chose not to for me that doesn't turn it into a crime although possible does suggest additional sentencing is appropriate.
Is 10 years an appropriate sentence for accessing information that legally had less legal protection than copyright works? Definitely not in my view.
I also completely disagree that AT&T 'harmed themselves'. This to me is grey-hat rationalizing/hand-washing. "It's not my fault that your security sucks. I just, you know, exploited it, harvested hundreds of thousands of emails, highlighted the most important executive and government official emails and released them in as public a manner as possible, potentially causing hundreds of thousands or even millions of dollars worth of economic damage and loss of reputation."
Sorry, to me a max 10 years is light, compared to the kinds of white-collar sentences we've seen for stuff like insider trading. They stole the data. They sat on it. They tried to release it in such a way as to cause harm, and the potential dollar-value risk for AT&T and all their employees was huge. Think of the massive hit RSA took when their data was stolen. It doesn't matter how "easy" the hack was: what matters is intent, action and effect. All three, to me, are clear-cut here. I don't see how weev could expect any different outcome.
How do they craft law that is generic enough to catch guys like meev but flexible that people like Aaron are found not guilty.
I tell others, maybe the severity of the charges were harsh in Aaron's case but I was wondering if we should have had a trial proceed and hear the facts. Others argue that we shouldn't have had a trial and the prosecutor should be fired. But how do we know for sure that Aaron didn't commit a crime?
Say you have a journalist who suspects a company is doing something not kosher or has a big acquisition coming. That company has a strict policy that employees may not talk to the press without permission. Despite that the journalist probes, he tries a bunch of people, he then finds someone inside the company who is willing to talk and reveal the company is doing something unethical or is going to buy a company.
The journalist then publishes that info and hopes, as a sign of the power of the story, that it is market-moving news. In an e-mail to an editor, she jokes that they ought to short the company. Or if you are Mark Cuban's short-lived venture, one actually shorts the company.
Given the journalist has exceeded authorized access to an employee and hoped to do damage to a company, should that journalist be prosecuted and charged with a felony?
If not, why is Weev being charged with a felony for doing the same exact thing by getting the info from a publicly available server that had no password protection?
To follow your analogy further, the Chinese spies who socially engineered access to RSA's security hashes wouldn't be guilty either.
A security hole, like an open door, is not a tacit abdication of rights to a company's data, nor a tacit invitation to do any and all kinds of harm to the company with that data, nor a tacit surrender of all legal means to recoup damages resulting from the stolen data.
Since a member of the group tells us the script was
shared with third-parties prior to AT&T closing the
security hole, it's not known exactly whose hands the
exploit fell into and what those people did with the
names they obtained.
The only person to receive the dataset was Gawker
journalist Ryan Tate who responsibly redacted it.
*: per the Gawker article, http://gawker.com/5559346/apples-worst-security-breach-11400...
This itself is a contentious point. I have already placed all facts which are out in the public domain. Any help to reach a concrete conclusion would be appreciated.
It doesn't quite answer your question on what he did in this case, but it shows his perspective on it.
He is correct that the end result of disclosure is shades of gray - not black and white, as we've seen recently with the student in Montreal who was suspended.
Off topic -
> He is correct that the end result of disclosure is shades of gray - not black and white, as we've seen recently with the student in Montreal who was suspended.
Well, the Montreal youth seems to be offered a job from the same part time company which led to his expulsion . I kind of predicted this on HN 2 days back . :-D
The illegality of Aarons actions is debatable, but the sentencing and lawyering by the DoJ has been seen as inappropriate and over-zealous by almost all spectators.
Also, as facts those email addresses aren't copyrightable. Taking them and selling them for profit is what all direct mail companies legally do with phone numbers and email addresses they find.
Websites without passwords are like postcards. Don't try to mandate restrictions on reading postcards, just use envelopes where needed.
Weev is a troll. That's not a judgment, that's fact. His antics weren't about liberating data or making a bigger statement, it was about embarrassing a company. He did it for the lulz.
The law might not see these as different cases (though like you, I know I do), but public opinion certainly will.
To be totally honest, I'm sort of disgusted that he's using Aaron's suicide as fodder to try to gain sympathy or sentiment ahead of his sentencing.
I am not a lawyer, but as I understand it, the crime that weev is being charged with is literally that he accessed certain publicly available URLs. For this, he is being charged with "accessing a computer without authorization" and fraud.
As for Aaron versus weev: our dedication to a principle is tested when it protects people that we don't like.
It's become part of the trial to establish that he didn't have good intentions and is a generally obnoxious person. I have to say I agree with that - after discovering the issue, he downloaded lots of people's personal data, which wasn't admirable behavior. You might download 10, 20, 100, just to see what happens. After that, the right thing is to disclose it to the company (anonymously if you have to), and then publicly if they do nothing about it.
But if what he did is a crime, there should be a more tightly worded law about it. He didn't misrepresent his identity; it was AT&T's fault for not checking. He didn't access a computer without authorization; AT&T did the equivalent of emptying a box of private documents on their front lawn.
Not having good intentions then taking action consistent with that is the definition of a crime.
The alleged crime was identity theft. The people he was accused of stealing the identity of were journalists whose emails and UCC-IDs were pulled out of the data in order to email it to them to get their attention.
It's a bullshit prosecution and I'm flabbergasted that people on this board 1) can't bother to dig up the facts and 2) support the feds prosecuting yet another hacker who didn't do shit.
I have to agree with neil, though I'm not suggesting you're doing this:
> our dedication to a principle is tested when it protects people that we don't like
You're oversimplifying the situation. See: http://en.wikipedia.org/wiki/Model_Penal_Code.
As I said, crime = intent + action. If you kill someone, and you had no bad intent (it was neither your purpose to kill them nor were you acting negligently), then there is no crime. At the same time, if you fully intend to kill someone, but don't take any action consistent with that intent, there is no crime. The two factors must also exist simultaneously. If you intend to kill someone, and buy a gun, you can be charged with attempted murder. If you fully intend to kill someone today, but then change your mind, and tomorrow buy a gun because of a rash of burglaries tomorrow, then there is no crime.
Now, obviously we can't get inside someone's head. So we infer intent from action. But we must always remember that the focus is not the action, but what the action says as evidence of the person's intent. And no matter what intent is inferred, there must still be independent action towards committing the crime.
So no, it's not illegal to say "I might do this." But, saying "I might do this" can amount to evidence that you intend, in fact, to do this, and if you independently take some other action consistent with this intent, you can be charged with an attempted crime.
What if I go to the beach at night not knowing that you can't enter the beach after sunset, then when I get there I see the sign and turn back without going in? Attempted trespassing on the beach after sunset for driving to the beach with that intent?
It seems like there has to be a piece missing somewhere. I mean what if my intent is to do something I'm not sure is a crime but in actual fact is and the act in furtherance of it is to call my lawyer and ask where it's actually a crime? I have to be missing something here.
In the MPC, there's (at least) three backstops.
1) The act in furtherance must be a "substantial step" and "strongly corroborative of criminal intent." The latter language creates a sliding scale for the former. Building a dirty bomb might be a substantial step towards a terrorist plot, but "attempted bear hunting" probably requires a park ranger to find you aiming at a bear.
2) Abandonment of the plan is a complete defense.
3) The mens rea for attempts is high. Actual crimes that require only reckless intent require purposeful intent for attempts at committing that crime.
The MPC indulges itself in a little bit of "if a tree falls in the forest" thinking, but largely because it tries to take principles to their logical conclusions. There is an interesting primer on it: https://www.law.upenn.edu/fac/phrobins/intromodpencode.pdf.
Is what weev did the same as walking to your ex-wife's house with a chainsaw while you shout that you're going to murder her (God forbid)? No, of course not. Given the actual harm or potential harm incurred here, weev's crime was more like walking to your ex-wife's house with an oversized down pillow while you talk about giving her a spanking on the bottom with it.
Is what weev did the same thing as walking into a stranger's house through his unlocked front door and then rifling through his personal papers? I don't think so. It would be better to say it is the same thing as walking past a house after the owner has plastered it with old credit card statements and then remarking to a fellow passer-by that you might make some expensive purchases using that now-public information.
The problem with the charges filed against weev and the charges filed against aaronsw is that they were based on a law that so lacks specificity and grounding in actual computer practice that even computer professionals need to use analogies to justify the illegality of the acts. If the law were legitimate such analogies would not be required.
Is it fair to convict a person based on an analogy, when another analogy might be more correct? If an appropriate analogy is required to determine guilt, then does the analogy itself take on the weight of law, and if so, who is to determine the correct analogy to apply in such a case (when the choice of appropriate analogy is what determines guilt or innocence), the judge, or the jury? No, if an action is going to be criminal, it must be possible to describe that action itself in its own literal terms and thereby determine its criminality.
You write that "crime = intent + action", and then you talk about nothing but his intent. The fact is that the action he undertook can only be described as criminal insofar as accessing a public URL that is not otherwise publicized qualifies as "exceeding access", which is what the CFAA makes a crime.
This is the problem with your argument, with the cases against both weev and aaronsw, and with the CFAA itself. Whatever ill will may have existed in weev's mind (I'm sure there is plenty there to go around), for his action iteself to be criminal, weev had to know what was in the mind of AT&T. And how could he? Because "authorization" is not a concept in the http protocol (or maybe there is, if you count http authentication, which wasn't used here) there are no methods besides clairvoyancy or pure gussing to determine whether a public URL is intended for open access or not. We have to assume that a public URL automatically grants authorization.
This is why the case against weev is so distressing. Although his intent may have been questionable, the actual action that is being prosecuted in this case is nothing more than fiddling with a url in a web browser. Who hasn't done this when looking through an image site like imgur.com or similar, just to see what's there randomly? We do this because it is universally accepted that unless a password restriction has been placed on a url, any publicly-accessible URL is intended to be viewed by the general public. Assuming anything else would break the Internet.
I'm not saying what weev did is as bad as attempted murder. I'm using the example to illustrate the concept.
> Is what weev did the same thing as walking into your house through your unlocked front door and then rifling through your personal papers? I don't think so. It would be better to say it is the same thing as his walking past your house after you plastered it with old credit card statements and then remarking to a fellow passer-by that he would do well to make some expensive purchases using that now-public information.
It's not like that at all. You're completely ignoring intent, and thereby taking the human element out of it and reducing it to the mechanical. If you plaster your house with credit card statements, a passer-by can reasonably infer that you intend to make the information public. Otherwise, why else would anyone do that? But AT&T clearly didn't intend to make the information public, and Weev's actions clearly suggest he knew that. AT&T made a mistake, but Weev took advantage of that mistake to access private information AT&T didn't intend to make public. The fact that I forgot to lock my door does not give you the right to go rifling through my shit! The fact that it's easy or even trivial to do so does not make it okay.
> The problem with the charges filed against weev and the charges filed against aaronsw is that they were based on a law that so lacks specificity and grounding in actual computer practice
I disagree with the contention that snooping around where you're not wanted for private information is grounded in "actual computer practice." It's grounded in a certain adolescent "hacker culture" that glorifies pushing peoples' buttons and getting around boundaries, but that is not coextensive with computer practice.
> that even computer professionals need to use analogies to justify the illegality of the acts. If the law were legitimate such analogies would not be required.
All law is based on analogical reasoning. Analogies allow us to illustrate operative principles to help translate from familiar situations to unfamiliar ones. Analogies in this case help illustrate the basic principle: just because it's easy to violate someone's property rights does not mean that such actions are not a violation.
> The fact is that the action he undertook can only be described as criminal insofar as accessing a public URL that is not otherwise publisized qualifies as "exceeding access", which is what the CFAA makes a crime.
What's unclear about the application of the CFAA here? He had a certain level of access to AT&T's information. He, through some means (it is utterly irrelevant the simplicity or difficulty of those means), exceeded his authorized access to get access to private information. He knew that he was getting access to information AT&T didn't intend him to access, and that AT&T had taken measures to conceal (it is utterly irrelevant how feeble those measures were). He then took the action of actually downloading that information. That's bad intent + accompanying action.
> Whatever ill will may have existed in weev's mind (I'm sure there is plenty there to go arround), for his action iteself to be criminal
This is a non-obvious feature of criminal law, but it needs to be understood. Under the law, "actions" are not criminal. Actions taken in a given frame of mind are criminal. The same action could be criminal or not depending on the intent. Take the simple act of entering someone's unlocked car. It can either be illegal trespass or not, depending entirely on whether you knew the car wasn't yours and you entered anyway.
> weev had to know what was in the mind of AT&T. And how could he? Because "authorization" is not a concept in the http protocol (or maybe there is, if you count http authentication, which wasn't used here) there are no methods besides clairvoyancy or pure gussing to determine whether a public URL is intended for open access or not. We have to assume that a public URL automatically grants authorization.
No, weev did not have to know what AT&T was thinking. The law does not hold him to that standard. The standard is objective: what would a reasonable person infer about AT&T's intentions? We do not have to use some bullshit mechanical assumption that ignores the simple fact that humans can do a pretty good job of guessing what other humans intend. You cannot tell me with a straight face that just because AT&T's security was trivial to get around that a reasonable person would conclude that AT&T had intended to grant open access to their member's e-mail addresses. That's the point of the "unlocked door analogy." Any normally functioning human being realizes that leaving a door unlocked does not create an inference that people are entitled to enter.
I think you are getting into the weeds here talking about legal standards. Do you know what the standard is when a party mistakingly discloses something (leaves confidential info on a park bench, or throws it out with the trash, or publishes it on a public website)? Do you know what the duties and obligations are of a person that discovers such a mistake? This is the area of established law that should be applied in this case. The "unlocked door" analogy is rediculous. Accidentally publishing something via a public URL is the equivalent of accidently publishing something in the newspaper, and equally negligent.
In other words, I belive that you are wrong. Any reasonable and computer literate person will assume that if information is available via a public URL without authentication it is intended for public consumption. If this were not the case, then it would fall on every internet user to iterpret the intent of the publisher based on the contents of the accessed document, which is largely impossible without first obtaining access in the first place!
2) "Actions taken in a given frame of mind are criminal. The same action could be criminal or not depending on the intent."
There is a certain class of action for which this is true: actions that are expressly prohibited when undertaken with mens rea. Not all criminal acts require mens rea (drunk driving), and certainly not all actions can be treated as criminal even if there is some kind of ill intent (ridicule of a public figure, stealing someone's girlfreind). You are making very broad assertions about how the law works and they are not fully correct.
With regards to the matter of the CFAA and "exceeding authorization", in order to assert that what weev did was criminal you have to establish that the underlying action is illegal when undertaken with mens rea, not just that there was some ill intent. The underlying action of accessing a public URL is not criminal, as the world wide web is inherrently a public medium, with very well-established means to make content private (authentication, firewall restriction), none of which were employed here.
3) "All law is based on analogical reasoning. Analogies allow us to illustrate operative principles to help translate from familiar situations to unfamiliar ones."
You missed my point. I have no objection to using analogy to illustrate a point. What I am saying is that you find it impossible to describe what weev did as criminal without resorting to analogy, and that you entirely rely in the correctness of your analogies to support your assertions. If you had to make your argument without analogy, you would be unable.
2. A minority of "strict liability" crimes don't require intent. Those crimes are more strictly enforced, not less. The CFAA isn't a strict liability statute. Most statutes aren't, which is something you are thankful for.
Visiting a URL is like asking an employee to photocopy a document for you. As long as you don't misrepresent yourself it's absolutely reasonable.
We don't need people in your position adding to this culture of ignorance. The pathnames and parameters in a good web api are human readable, and human guessable, for a reason. The web is supposed to be human navigable.
If you (generically) don't like this, don't implement a plaintext service over a human readable protocol that almost everyone on the planet has a debugger for. If you must use this api, and place it in the midst of URLs you intend to be public, you must implement a password or use another intentional security feature.
Malls must mark private doors because the expectation otherwise (that they create) is that the mall is free to explore. By using http, and readable paths, and sequential record IDs, returning valid markup and unencrypted content, you're running a mall. Mark your doors or realize every area will be visited and plan accordingly.
Quit defending this legal nonsense or it'll soon be 'hacking' to ask for the next book in a series.
Calling arguments I've made "nonsense" and "ignorance" doesn't make your argument stronger. It makes you sound emotional. That can be an effective card to play if you think your emotions are going to cow your opponent into shutting up. Is that what you're trying to do?
Moving on, you haven't addressed my point at all. URLs are human readable. We test a couple hundred web applications in any given year. How many ridiculous URLs do you think I've seen? I provided specific examples: human-readable URLs that human-readably gave up whole filesystems. Human-readable URLs that human-readably gave up SQL queries. Human-readable URLs that human-readably gave up private messages.
To follow your logic to its reasonable conclusion, all those vulnerable URLs were open season for Internet attacker^H^H^H^H^H^H^Husers; shame on those companies for over-exposing resources in URLs and then expecting the legal system to clean up after them! If that's what you believe, fine, but you're arguing for the decriminalization of a whole lot of very damaging attacks. And to what end? I guess my bill rate would go way up when people realized they had even less recourse against exploitation of bugs in their system.
Meanwhile, you've followed my logic to an improper conclusion. As Rayiner has tried to explain on numerous threads, the legal system is not a programming environment that evaluates objectively observable facts and spits out conclusions based solely on them. Crimes are (i) an intent to break the law and (ii) actions in furtherance of that attempt. It is not illegal to "ask for the next book in a series". But if an abortion clinic used a case management application with a bug that disclosed --- via human-readable URL --- the identities of all its patients, it absolutely should be a crime to use those URLs to dump confidential patient information to Pastebin.
None of this means I think Aurenheimer deserves prison time for getting email addresses from AT&T. He was charged with identity theft, in part (I think) because the CFAA has a badly written 1-up mushroom clause that says computer fraud is extra bad when charged alongside another felony. The idea that email addresses of iPad subscribers constitute "identities" is ludicrous.
The idea that incrementing a URL is hacking goes against the designing principles of the web. Intended behavior isn't hacking. By either definition. Telling people that this is special creates a culture of ignorance where they think there's magic under the hood and never try to learn.
The idea that URL manipulation is hacking is factually incorrect and you hurt people by saying it.
This doesn't mean it's not an exploit, depending on circumstances. Many exploits don't require hacking. For instance, item cloning in a mmorpg. That something is exploitable doesn't mean you need to hack it. A "take a penny" dish is exploitable but taking the pennies isn't hacking.
As for emotional arguments, you responded to me with one. I know many sites do things their maintainers wouldn't want them to do, but sympathy doesn't justify bad laws.
I'm not arguing for decriminalization of hacking, but that this isn't hacking.
There are applications with human-readable URL schemes that will, with trivial manipulation of URLs, cough up arbitrary files from the server filesystem. Are those URLs OK to play with because of the "design principles of the web"?
Trying a key in a door isn't lock-picking, trying an obvious URL isn't hacking.
Earlier you argued by fear, that a badly configured server could send private data, and therefore editing URLs is hacking. Hell, I've seen servers with private data in the root dir. This is disconcerting, and bad for the company, but not hacking if you view the documents.
Similarly, incrementing as number, turning a page, clicking next, those are the expected, default, uses. They don't magically become a cyber attack simply because your software does exactly what you told it to.
Why are you unwilling to separate questions of legality long enough to make it clear that anyone in the world who can place one number after another could have done exactly the same?
Someone who unintentionally released private documents but thought they were hacked wouldn't have any incentive to change, or idea how. But if we were honest with them, they would.
I'm talking about very broad principles. Your claim is basically that AT&T's intent to keep the information private cannot be relevant because Weev cannot know what AT&T is thinking. I'm pointing out that while the law rarely charges you with reading minds, it is quite common to charge you with making reasonable inferences about other peoples' intentions.
> Accidentally publishing something via a public URL is the equivalent of accidently publishing something in the newspaper, and equally negligent.
Thought experiment: how many cases do you think there are of people accidentally publishing their naked photos in a newspaper, versus leaving them in a publicly accessible directory?
> In other words, I belive that you are wrong. Any reasonable and computer literate person will assume that if information is available via a public URL without authentication it is intended for public consumption.
I disagree that a categorical rule is the only one a "reasonable" and "computer literate" person would support. I see no reason why we can't consider the surrounding context. A building on Michigan Ave with an open door creates a different inference, in the mind of a reasonable person, about whether they are allowed to walk in than a house in a residential neighborhood with an open door.
> There is a certain class of action for which this is true: actions that are expressly prohibited when undertaken with mens rea.
Again, I'm speaking in broad principles. Intent is the heart of the criminal law. The Model Penal Code, which represents the prevailing thought on criminal law in the U.S. applies it rigorously save for in one case (statutory rape of young children). Strict liability is the exception, and even that can be seen as a per-se judgment about intent.
> With regards to the matter of the CFAA and "exceeding authorization", in order to assert that what weev did was criminal you have to establish that the underlying action is illegal when undertaken with mens rea, not just that there was some ill intent.
The action was changing the number on a URL to access a different page. The intent was to get access to information that AT&T did not intend Weev to access. I don't see what's hard about this. Yes, it's not illegal to access a public URL, but that doesn't mean it can't be illegal to access a public URL with intent to get access to private information.
> with very well-established means to make content private (authentication, firewall restriction), none of which were employed here.
There are every well-established (thousands of years older than HTTP) means of making buildings private (locks), yet not employing one doesn't give you permission to enter!
Like the man or not, it's pretty easy for any technically savvy individual to see your information was leaked by AT&T, not this guy. He just pointed out what was going on. And this is hardly an "exploit" so much as stumbling across a glaring bug that he did report to a news organization, not leverage for profit.
Does this really deserve a sentence that will effectively ruin a mans life (beyond the damage that has allegedly already been done)? Have you so much as stopped doing business with AT&T?
I think the public has some responsibility to demand the justice system be fair for all individuals without bias, not just the ones we like. It's probably also worth asking what is being done about companies, like AT&T in this case, that are carelessly releasing said private information to the public while we are actively prosecuting people who stumble across it.
And if your intent is to sell the data, you don't use your real name when you get a media organization to write up the security hole.
Actually, if anyone needs to go to jail over it, it's the management team that didn't care to implement any security. After all, no hacking was done, just simple URL editing. If that's a crime, leaving the server open that way is a far bigger one.
The very idea that this dude is trying to compare himself to Swartz is laughable at best and in very, very poor taste.
to clarify, in no way do i think the punishment he might get fits the crime. the feds are being completely overzealous here. i just don't like that a guy who gets busted doing something completely self-interested tries to jump on the coattails of a genuine tragedy to stir up public support.
This case is absolutely like Aaron's, an over-zealous prosecutor doing absolutely nothing useful for society and pursuing a non-issue to potentially life-running levels.
And it's not that this guy is or is not a white-hat, but that AT&T and the government are effectively black hats. It's not his duty to hold their hands, but it's AT&T's duty not to lie or misrepresent the situation and it's the prosecutor's duty to serve the public good.
Let's get some answers to these questions.
Fayetteville, AR is a very poor/bad place and I think someone with a trivial amount of drugs, who is also a supreme internet troll, is not someone they'd want to prosecute locally.
Although court funding is state level, so Arkansas being poor overall would increase the desire to push stuff up to the feds. And I think states always do that anyway.