Exactly. This guy was very publicly trying to either blackmail or sell the data. As someone who had an iPad 3G and was alerted my info was stolen, I was pissed at the future spam I knew I'd end up getting out of the whole thing.
Weev is a troll. That's not a judgment, that's fact. His antics weren't about liberating data or making a bigger statement, it was about embarrassing a company. He did it for the lulz.
The law might not see these as different cases (though like you, I know I do), but public opinion certainly will.
To be totally honest, I'm sort of disgusted that he's using Aaron's suicide as fodder to try to gain sympathy or sentiment ahead of his sentencing.
Trolling is not illegal. Embarrassing a company is not illegal. Talking or joking about blackmailing a company on IRC is not illegal. Taking a security exploit first to a journalist, rather than the parties involved, is not illegal.
I am not a lawyer, but as I understand it, the crime that weev is being charged with is literally that he accessed certain publicly available URLs. For this, he is being charged with "accessing a computer without authorization" and fraud.
As for Aaron versus weev: our dedication to a principle is tested when it protects people that we don't like.
Crime = intent + action. Doing two otherwise legal things may amount to a crime. For example, it is not illegal to talk about killing your ex-wife. It is also not illegal to walk to her house with a chainsaw. Both those things are by themselves quite legal. But combine the two, and you can quite fairly be charged for attempted murder.
weev is not being charged with blackmail. As far as I know, he didn't do anything to accomplish that goal. He talked a little bit about it on IRC. Instead he went to a journalist, perhaps to increase his infamy.
It's become part of the trial to establish that he didn't have good intentions and is a generally obnoxious person. I have to say I agree with that - after discovering the issue, he downloaded lots of people's personal data, which wasn't admirable behavior. You might download 10, 20, 100, just to see what happens. After that, the right thing is to disclose it to the company (anonymously if you have to), and then publicly if they do nothing about it.
But if what he did is a crime, there should be a more tightly worded law about it. He didn't misrepresent his identity; it was AT&T's fault for not checking. He didn't access a computer without authorization; AT&T did the equivalent of emptying a box of private documents on their front lawn.
He never contacted AT&T. There was no talk of blackmail. He embarrassed the company.
The alleged crime was identity theft. The people he was accused of stealing the identity of were journalists whose emails and UCC-IDs were pulled out of the data in order to email it to them to get their attention.
It's a bullshit prosecution and I'm flabbergasted that people on this board 1) can't bother to dig up the facts and 2) support the feds prosecuting yet another hacker who didn't do shit.
It's very frustrating reading the analogies that you are attempting to use to describe the charges in this case.
Is what weev did the same as walking to your ex-wife's house with a chainsaw while you shout that you're going to murder her (God forbid)? No, of course not. Given the actual harm or potential harm incurred here, weev's crime was more like walking to your ex-wife's house with an oversized down pillow while you talk about giving her a spanking on the bottom with it.
Is what weev did the same thing as walking into a stranger's house through his unlocked front door and then rifling through his personal papers? I don't think so. It would be better to say it is the same thing as walking past a house after the owner has plastered it with old credit card statements and then remarking to a fellow passer-by that you might make some expensive purchases using that now-public information.
The problem with the charges filed against weev and the charges filed against aaronsw is that they were based on a law that so lacks specificity and grounding in actual computer practice that even computer professionals need to use analogies to justify the illegality of the acts. If the law were legitimate such analogies would not be required.
Is it fair to convict a person based on an analogy, when another analogy might be more correct? If an appropriate analogy is required to determine guilt, then does the analogy itself take on the weight of law, and if so, who is to determine the correct analogy to apply in such a case (when the choice of appropriate analogy is what determines guilt or innocence), the judge, or the jury? No, if an action is going to be criminal, it must be possible to describe that action itself in its own literal terms and thereby determine its criminality.
You write that "crime = intent + action", and then you talk about nothing but his intent. The fact is that the action he undertook can only be described as criminal insofar as accessing a public URL that is not otherwise publicized qualifies as "exceeding access", which is what the CFAA makes a crime.
This is the problem with your argument, with the cases against both weev and aaronsw, and with the CFAA itself. Whatever ill will may have existed in weev's mind (I'm sure there is plenty there to go around), for his action iteself to be criminal, weev had to know what was in the mind of AT&T. And how could he? Because "authorization" is not a concept in the http protocol (or maybe there is, if you count http authentication, which wasn't used here) there are no methods besides clairvoyancy or pure gussing to determine whether a public URL is intended for open access or not. We have to assume that a public URL automatically grants authorization.
This is why the case against weev is so distressing. Although his intent may have been questionable, the actual action that is being prosecuted in this case is nothing more than fiddling with a url in a web browser. Who hasn't done this when looking through an image site like imgur.com or similar, just to see what's there randomly? We do this because it is universally accepted that unless a password restriction has been placed on a url, any publicly-accessible URL is intended to be viewed by the general public. Assuming anything else would break the Internet.
> Is what weev did the same as walking to your ex-wife's house with a chainsaw while you shout that you're going to murder her (God forbid)? No, of course not.
I'm not saying what weev did is as bad as attempted murder. I'm using the example to illustrate the concept.
> Is what weev did the same thing as walking into your house through your unlocked front door and then rifling through your personal papers? I don't think so. It would be better to say it is the same thing as his walking past your house after you plastered it with old credit card statements and then remarking to a fellow passer-by that he would do well to make some expensive purchases using that now-public information.
It's not like that at all. You're completely ignoring intent, and thereby taking the human element out of it and reducing it to the mechanical. If you plaster your house with credit card statements, a passer-by can reasonably infer that you intend to make the information public. Otherwise, why else would anyone do that? But AT&T clearly didn't intend to make the information public, and Weev's actions clearly suggest he knew that. AT&T made a mistake, but Weev took advantage of that mistake to access private information AT&T didn't intend to make public. The fact that I forgot to lock my door does not give you the right to go rifling through my shit! The fact that it's easy or even trivial to do so does not make it okay.
> The problem with the charges filed against weev and the charges filed against aaronsw is that they were based on a law that so lacks specificity and grounding in actual computer practice
I disagree with the contention that snooping around where you're not wanted for private information is grounded in "actual computer practice." It's grounded in a certain adolescent "hacker culture" that glorifies pushing peoples' buttons and getting around boundaries, but that is not coextensive with computer practice.
> that even computer professionals need to use analogies to justify the illegality of the acts. If the law were legitimate such analogies would not be required.
All law is based on analogical reasoning. Analogies allow us to illustrate operative principles to help translate from familiar situations to unfamiliar ones. Analogies in this case help illustrate the basic principle: just because it's easy to violate someone's property rights does not mean that such actions are not a violation.
> The fact is that the action he undertook can only be described as criminal insofar as accessing a public URL that is not otherwise publisized qualifies as "exceeding access", which is what the CFAA makes a crime.
What's unclear about the application of the CFAA here? He had a certain level of access to AT&T's information. He, through some means (it is utterly irrelevant the simplicity or difficulty of those means), exceeded his authorized access to get access to private information. He knew that he was getting access to information AT&T didn't intend him to access, and that AT&T had taken measures to conceal (it is utterly irrelevant how feeble those measures were). He then took the action of actually downloading that information. That's bad intent + accompanying action.
> Whatever ill will may have existed in weev's mind (I'm sure there is plenty there to go arround), for his action iteself to be criminal
This is a non-obvious feature of criminal law, but it needs to be understood. Under the law, "actions" are not criminal. Actions taken in a given frame of mind are criminal. The same action could be criminal or not depending on the intent. Take the simple act of entering someone's unlocked car. It can either be illegal trespass or not, depending entirely on whether you knew the car wasn't yours and you entered anyway.
> weev had to know what was in the mind of AT&T. And how could he? Because "authorization" is not a concept in the http protocol (or maybe there is, if you count http authentication, which wasn't used here) there are no methods besides clairvoyancy or pure gussing to determine whether a public URL is intended for open access or not. We have to assume that a public URL automatically grants authorization.
No, weev did not have to know what AT&T was thinking. The law does not hold him to that standard. The standard is objective: what would a reasonable person infer about AT&T's intentions? We do not have to use some bullshit mechanical assumption that ignores the simple fact that humans can do a pretty good job of guessing what other humans intend. You cannot tell me with a straight face that just because AT&T's security was trivial to get around that a reasonable person would conclude that AT&T had intended to grant open access to their member's e-mail addresses. That's the point of the "unlocked door analogy." Any normally functioning human being realizes that leaving a door unlocked does not create an inference that people are entitled to enter.
1) "The standard is objective: what would a reasonable person infer about AT&T's intentions? We do not have to use some bullshit mechanical assumption that ignores the simple fact that humans can do a pretty good job of guessing what other humans intend. You cannot tell me with a straight face that just because AT&T's security was trivial to get around that a reasonable person would conclude that AT&T had intended to grant open access to their member's e-mail addresses."
I think you are getting into the weeds here talking about legal standards. Do you know what the standard is when a party mistakingly discloses something (leaves confidential info on a park bench, or throws it out with the trash, or publishes it on a public website)? Do you know what the duties and obligations are of a person that discovers such a mistake? This is the area of established law that should be applied in this case. The "unlocked door" analogy is rediculous. Accidentally publishing something via a public URL is the equivalent of accidently publishing something in the newspaper, and equally negligent.
In other words, I belive that you are wrong. Any reasonable and computer literate person will assume that if information is available via a public URL without authentication it is intended for public consumption. If this were not the case, then it would fall on every internet user to iterpret the intent of the publisher based on the contents of the accessed document, which is largely impossible without first obtaining access in the first place!
2) "Actions taken in a given frame of mind are criminal. The same action could be criminal or not depending on the intent."
There is a certain class of action for which this is true: actions that are expressly prohibited when undertaken with mens rea. Not all criminal acts require mens rea (drunk driving), and certainly not all actions can be treated as criminal even if there is some kind of ill intent (ridicule of a public figure, stealing someone's girlfreind). You are making very broad assertions about how the law works and they are not fully correct.
With regards to the matter of the CFAA and "exceeding authorization", in order to assert that what weev did was criminal you have to establish that the underlying action is illegal when undertaken with mens rea, not just that there was some ill intent. The underlying action of accessing a public URL is not criminal, as the world wide web is inherrently a public medium, with very well-established means to make content private (authentication, firewall restriction), none of which were employed here.
3) "All law is based on analogical reasoning. Analogies allow us to illustrate operative principles to help translate from familiar situations to unfamiliar ones."
You missed my point. I have no objection to using analogy to illustrate a point. What I am saying is that you find it impossible to describe what weev did as criminal without resorting to analogy, and that you entirely rely in the correctness of your analogies to support your assertions. If you had to make your argument without analogy, you would be unable.
> I think you are getting into the weeds here talking about legal standards.
I'm talking about very broad principles. Your claim is basically that AT&T's intent to keep the information private cannot be relevant because Weev cannot know what AT&T is thinking. I'm pointing out that while the law rarely charges you with reading minds, it is quite common to charge you with making reasonable inferences about other peoples' intentions.
> Accidentally publishing something via a public URL is the equivalent of accidently publishing something in the newspaper, and equally negligent.
Thought experiment: how many cases do you think there are of people accidentally publishing their naked photos in a newspaper, versus leaving them in a publicly accessible directory?
> In other words, I belive that you are wrong. Any reasonable and computer literate person will assume that if information is available via a public URL without authentication it is intended for public consumption.
I disagree that a categorical rule is the only one a "reasonable" and "computer literate" person would support. I see no reason why we can't consider the surrounding context. A building on Michigan Ave with an open door creates a different inference, in the mind of a reasonable person, about whether they are allowed to walk in than a house in a residential neighborhood with an open door.
> There is a certain class of action for which this is true: actions that are expressly prohibited when undertaken with mens rea.
Again, I'm speaking in broad principles. Intent is the heart of the criminal law. The Model Penal Code, which represents the prevailing thought on criminal law in the U.S. applies it rigorously save for in one case (statutory rape of young children). Strict liability is the exception, and even that can be seen as a per-se judgment about intent.
> With regards to the matter of the CFAA and "exceeding authorization", in order to assert that what weev did was criminal you have to establish that the underlying action is illegal when undertaken with mens rea, not just that there was some ill intent.
The action was changing the number on a URL to access a different page. The intent was to get access to information that AT&T did not intend Weev to access. I don't see what's hard about this. Yes, it's not illegal to access a public URL, but that doesn't mean it can't be illegal to access a public URL with intent to get access to private information.
> with very well-established means to make content private (authentication, firewall restriction), none of which were employed here.
There are every well-established (thousands of years older than HTTP) means of making buildings private (locks), yet not employing one doesn't give you permission to enter!
1. The set of vulnerabilities that can be expressed as "public URLs" is large. Important applications expose sensitive data without authentication all the time. They routinely give up access to their whole filesystem in file download systems. They reveal private messages by rotating integers. They manage to marshall raw SQL statements into URLs their developers didn't expect people to see. It simply cannot be the case that the standard for "unauthorized access" is "steps taken beyond entering URLs into a browser".
2. A minority of "strict liability" crimes don't require intent. Those crimes are more strictly enforced, not less. The CFAA isn't a strict liability statute. Most statutes aren't, which is something you are thankful for.
Guessing URLs isn't hacking. You of all people should know that. Some hacking can involve that, but it's as unrelated as noting that hackers eat.
Visiting a URL is like asking an employee to photocopy a document for you. As long as you don't misrepresent yourself it's absolutely reasonable.
We don't need people in your position adding to this culture of ignorance. The pathnames and parameters in a good web api are human readable, and human guessable, for a reason. The web is supposed to be human navigable.
If you (generically) don't like this, don't implement a plaintext service over a human readable protocol that almost everyone on the planet has a debugger for. If you must use this api, and place it in the midst of URLs you intend to be public, you must implement a password or use another intentional security feature.
Malls must mark private doors because the expectation otherwise (that they create) is that the mall is free to explore. By using http, and readable paths, and sequential record IDs, returning valid markup and unencrypted content, you're running a mall. Mark your doors or realize every area will be visited and plan accordingly.
Quit defending this legal nonsense or it'll soon be 'hacking' to ask for the next book in a series.
This was an unfriendly comment. People here obviously think I'm pretty snarky and a bit of an asshole and I'm fine with that, but I don't generally write comments singling people who disagree with me out by name and demanding that some circumstance of their career or status or upbringing requires them to agree with me at their own moral peril. I wish you could just disagree with me objectively.
Calling arguments I've made "nonsense" and "ignorance" doesn't make your argument stronger. It makes you sound emotional. That can be an effective card to play if you think your emotions are going to cow your opponent into shutting up. Is that what you're trying to do?
Moving on, you haven't addressed my point at all. URLs are human readable. We test a couple hundred web applications in any given year. How many ridiculous URLs do you think I've seen? I provided specific examples: human-readable URLs that human-readably gave up whole filesystems. Human-readable URLs that human-readably gave up SQL queries. Human-readable URLs that human-readably gave up private messages.
To follow your logic to its reasonable conclusion, all those vulnerable URLs were open season for Internet attacker^H^H^H^H^H^H^Husers; shame on those companies for over-exposing resources in URLs and then expecting the legal system to clean up after them! If that's what you believe, fine, but you're arguing for the decriminalization of a whole lot of very damaging attacks. And to what end? I guess my bill rate would go way up when people realized they had even less recourse against exploitation of bugs in their system.
Meanwhile, you've followed my logic to an improper conclusion. As Rayiner has tried to explain on numerous threads, the legal system is not a programming environment that evaluates objectively observable facts and spits out conclusions based solely on them. Crimes are (i) an intent to break the law and (ii) actions in furtherance of that attempt. It is not illegal to "ask for the next book in a series". But if an abortion clinic used a case management application with a bug that disclosed --- via human-readable URL --- the identities of all its patients, it absolutely should be a crime to use those URLs to dump confidential patient information to Pastebin.
None of this means I think Aurenheimer deserves prison time for getting email addresses from AT&T. He was charged with identity theft, in part (I think) because the CFAA has a badly written 1-up mushroom clause that says computer fraud is extra bad when charged alongside another felony. The idea that email addresses of iPad subscribers constitute "identities" is ludicrous.
I was addressing your ideas, not you. But everything you say comes with an aura of wizard and that's why I'm taking issue to you saying things that would merely be opinion from someone else.
The idea that incrementing a URL is hacking goes against the designing principles of the web. Intended behavior isn't hacking. By either definition. Telling people that this is special creates a culture of ignorance where they think there's magic under the hood and never try to learn.
The idea that URL manipulation is hacking is factually incorrect and you hurt people by saying it.
This doesn't mean it's not an exploit, depending on circumstances. Many exploits don't require hacking. For instance, item cloning in a mmorpg. That something is exploitable doesn't mean you need to hack it. A "take a penny" dish is exploitable but taking the pennies isn't hacking.
As for emotional arguments, you responded to me with one. I know many sites do things their maintainers wouldn't want them to do, but sympathy doesn't justify bad laws.
I'm not arguing for decriminalization of hacking, but that this isn't hacking.
I feel like I was pretty clear, so I'm puzzled by this response. Let me distill my last comment.
There are applications with human-readable URL schemes that will, with trivial manipulation of URLs, cough up arbitrary files from the server filesystem. Are those URLs OK to play with because of the "design principles of the web"?
But not lock-picking. Why are you trying so hard to label this hacking?
Earlier you argued by fear, that a badly configured server could send private data, and therefore editing URLs is hacking. Hell, I've seen servers with private data in the root dir. This is disconcerting, and bad for the company, but not hacking if you view the documents.
Similarly, incrementing as number, turning a page, clicking next, those are the expected, default, uses. They don't magically become a cyber attack simply because your software does exactly what you told it to.
Why are you unwilling to separate questions of legality long enough to make it clear that anyone in the world who can place one number after another could have done exactly the same?
Someone who unintentionally released private documents but thought they were hacked wouldn't have any incentive to change, or idea how. But if we were honest with them, they would.
As I said, crime = intent + action. If you kill someone, and you had no bad intent (it was neither your purpose to kill them nor were you acting negligently), then there is no crime. At the same time, if you fully intend to kill someone, but don't take any action consistent with that intent, there is no crime. The two factors must also exist simultaneously. If you intend to kill someone, and buy a gun, you can be charged with attempted murder. If you fully intend to kill someone today, but then change your mind, and tomorrow buy a gun because of a rash of burglaries tomorrow, then there is no crime.
Now, obviously we can't get inside someone's head. So we infer intent from action. But we must always remember that the focus is not the action, but what the action says as evidence of the person's intent. And no matter what intent is inferred, there must still be independent action towards committing the crime.
So no, it's not illegal to say "I might do this." But, saying "I might do this" can amount to evidence that you intend, in fact, to do this, and if you independently take some other action consistent with this intent, you can be charged with an attempted crime.
Is that really right? So let me get this straight: If I buy a gun with the notion that I intend to hunt a bear with it, maybe not even knowing that it's illegal, then I read on the internet that bears are super deadly and stay home, I'm still guilty of attempting to hunt a bear because I bought a gun intending to hunt a bear with it?
What if I go to the beach at night not knowing that you can't enter the beach after sunset, then when I get there I see the sign and turn back without going in? Attempted trespassing on the beach after sunset for driving to the beach with that intent?
It seems like there has to be a piece missing somewhere. I mean what if my intent is to do something I'm not sure is a crime but in actual fact is and the act in furtherance of it is to call my lawyer and ask where it's actually a crime? I have to be missing something here.
Note that I'm talking about the Model Penal Code, which is strongly influential on American criminal law since the last 50 years, but isn't 100% the actual law anywhere. Attempts are one of those areas where the MPC is probably too academic and actual states diverge. E.g. the MPC punishes attempts as harshly as the actual crimes, because it focuses so heavily on intent.
In the MPC, there's (at least) three backstops.
1) The act in furtherance must be a "substantial step" and "strongly corroborative of criminal intent." The latter language creates a sliding scale for the former. Building a dirty bomb might be a substantial step towards a terrorist plot, but "attempted bear hunting" probably requires a park ranger to find you aiming at a bear.
2) Abandonment of the plan is a complete defense.
3) The mens rea for attempts is high. Actual crimes that require only reckless intent require purposeful intent for attempts at committing that crime.
I have no issue with his personality being judged in the court of public opinion but I must ask if you really think he deserves this case being brought against him?
Like the man or not, it's pretty easy for any technically savvy individual to see your information was leaked by AT&T, not this guy. He just pointed out what was going on. And this is hardly an "exploit" so much as stumbling across a glaring bug that he did report to a news organization, not leverage for profit.
Does this really deserve a sentence that will effectively ruin a mans life (beyond the damage that has allegedly already been done)? Have you so much as stopped doing business with AT&T?
I think the public has some responsibility to demand the justice system be fair for all individuals without bias, not just the ones we like. It's probably also worth asking what is being done about companies, like AT&T in this case, that are carelessly releasing said private information to the public while we are actively prosecuting people who stumble across it.
Typical. You blame the person who discovered the hole instead of the incompetent developers and negligent company that made millions from cutting corners.
Actually, if anyone needs to go to jail over it, it's the management team that didn't care to implement any security. After all, no hacking was done, just simple URL editing. If that's a crime, leaving the server open that way is a far bigger one.
When a vulnerability/exploit is discovered, there's a difference between dealing with it responsibly and using it to troll people "for the lulz". Don't paint this guy as a white hat trying to help AT&T patch their poor security.
The very idea that this dude is trying to compare himself to Swartz is laughable at best and in very, very poor taste.
to clarify, in no way do i think the punishment he might get fits the crime. the feds are being completely overzealous here. i just don't like that a guy who gets busted doing something completely self-interested tries to jump on the coattails of a genuine tragedy to stir up public support.
Personally I find it gauche when people judge the worthiness of someone else, merely because other people have had an even rougher time.
This case is absolutely like Aaron's, an over-zealous prosecutor doing absolutely nothing useful for society and pursuing a non-issue to potentially life-running levels.
And it's not that this guy is or is not a white-hat, but that AT&T and the government are effectively black hats. It's not his duty to hold their hands, but it's AT&T's duty not to lie or misrepresent the situation and it's the prosecutor's duty to serve the public good.