My view, having read most of the prosecution's statement, as well has having chatted with weev about this, is that the system was open to the public.
Here's why. The prosecution details the steps Spitler took: downloading the iPad image, decrypting it, finding the url the system used (I'm guessing by running strings), and then spoofing an iPad browser request via the user agent string, and providing the userid to obtain an email address.
IANAL, but it seems that they are maybe trying to make the case that the user agent string was equivocal to a password, or that decrypting the image was the point of exceeding access. If decrypting the image was the issue, then I imagine this would be placed with all the other similar cases (DeCSS, etc), but it wouldn't constitute identity fraud. If the user agent string is seen as the password, then that is the weakest security system I've ever seen.
I haven't actually kept up with how AT&T apparently fixed it, but it seems that a rational response to this would be to make users authenticate with their own password BEFORE it spits out information like an email address. If you don someone's userid but have no password (or session id token, etc), I'd suggest that's impersonation, but not identity theft or fraud. If we're going to criminalize impersonation, I guess the Saturday Night Live cast needs to find a new career.
That said, I totally understand why weev contacted reporters and not AT&T. We're in an age where contacting large corporations about security fixes typically results in a gag order on the security researcher and no fix (hi Cisco). By contacting a reporter, he increased the chance that the story would get out and AT&T would fix the issue.
Finally, a lot of people have suggested that weev "deserved" to go to jail for other things he's done. I'm not denying he's a troll, and he has done some over the top things. However, it's not illegal to be a troll, and while one might say he should be in jail for other things he has done, he is currently in jail for this. IMHO, the punishment not only outweighs the crime, but in conjunction with the other abuses of CFAA prosecution we've seen lately (such as Aaron Swartz), I think it's time we stop allowing the government to use poster children like weev as punching bags for obvious career boosting agendas.
A security system's weakness does not grant permission to break it. That gets said every time we have this conversation, but I guess it needs to be said again.
When does accessing a system turn into breaking a security system? Let's say I am trying to access an Internet Explorer only website with Firefox, and it gives me an error. I change my user agent, and it lets me in. Did I just commit a crime?
According to the law, and what seems like common sense to me, when you know or should have known that you were accessing something you weren't meant to.
And who gets to define when you're "meant" to? The law we're talking about was written in 1986, before the web even existed. Haven't we already had this conversation with regards to Google (the debacle over the robots file) and other systems?
Finally, even if it is concluded that weev committed a crime, something with which I disagree, would you say it's ok to punish it by nearly 4 years in prison, denial to medical care, and solitary confinement for using email? All of those things have happened after he was indicted.
Same people who decide every other time the law calls for consideration of intent and mental state of defendants (which is a lot) -- the judge and jury.
And that gets back to what the authors of the article are talking about. The judge and jury have no idea what this long-haired, bearded internet troll actually did. So they accepted the prosecution's assertion of, "He's a witch!" and handed down a guilty verdict.
He accessed data belonging to other people that he should not have, and knew he should not have. (And then went on to make very unwise statements about his intentions of how to handle that data.)
That's all that really matters to the judge and jury. The technical aspects don't matter much to them.
Also: If ease of access to information means anyone can take it, do you mean to say the NSA should take whatever they want because people don't encrypt their data?
If that information is so valuable, then shouldn't some burden be placed on AT&T for negligence? If this had been health care records, AT&T would have been required to notify users and possibly pay a fine. Perhaps it makes sense to have similar laws in place to protect all data, as Europe does (see ECHR).
The point here is, if we want to nail weev to a cross, AT&T should be nailed up right next to him.
Some blame should surely be placed at AT&T's feet too, but IMO not as much. Going back to the door analogy, whoever leaves it carelessly unlocked will definitely get less sympathy (e.g. insurance may decline to cover the loss), but that does not mean they're anywhere as guilty as the thief who actually committed the burglary.
I don't think the door analogy entirely works here. Here's why:
For a typical burglary, person A leaves their door unlocked, and person B walks in. The items clearly belong to person A, and when person B takes them and walks out, theft has clearly occurred.
In this case, person A walks near person B's house, and sees that person B has laid the possessions of person C all over the sidewalk. Person A brings out their duplicator machine, creates mirror images of all person C's items, takes those mirror images, and walks away.
While there is a question of whether person A should have duplicated those items, person C is sitting across town clueless as to what's going on. There's also the question of whether person B should have left things all over the sidewalk, or should have placed the things behind the door.
If we begin comparing accessing a website to opening a door, that creates a lot of legal confusion. IANAL, but IIRC, the current legal understanding is that a computer on a network falls under the jurisdiction of the network. If that's the case, and we consider the Internet to be a public place, then a web server placed on the internet becomes public, unless there's a password on it. If, instead, we consider web servers to be like doors, where you need permission to access them, then anyone who spiders a website might be considered guilty of attempted breaking and entering. For another example, does it make more sense to allow allow smartphone apps to have full access to your phone by default, or should permission be granted for special capabilities? AFAIK, consent in this area is not very well defined.
In the traditional sense of theft, there is an object that I once had in my possession and it has now been taken from me. That doesn't really work so well with digital media where the supply issue goes away.
There's a lot more to this discussion, but I'm curious what the next response will be :)
I have a pretty good understanding of what he actually did, and when I think about the implication of immunizing every similar action by anyone on the Internet --- any vulnerability triggered by a preauth GET handler --- I have no trouble seeing why what he did was illegal. You can safely monkey around with other people's systems under that reading of the CFAA. But, once you find yourself getting private information about other users, you know something's wrong, and you need to stop right away. He didn't. Coming into that knowledge and then continuing to exploit the system is the crux of the prosecution's case here, not the nature of URLs.
But, again: I think this case didn't deserve to be prosecuted, and I think CFAA's sentencing should be revised to ensure that in the future prosecutors have no incentive to push pointless cases like it.
We aren't arguing about what he did. We are arguing about why he did it. Did you seriously just not read the entire conversation above the comment? The technical aspects of exactly what he did aren't important.
Here's why. The prosecution details the steps Spitler took: downloading the iPad image, decrypting it, finding the url the system used (I'm guessing by running strings), and then spoofing an iPad browser request via the user agent string, and providing the userid to obtain an email address.
IANAL, but it seems that they are maybe trying to make the case that the user agent string was equivocal to a password, or that decrypting the image was the point of exceeding access. If decrypting the image was the issue, then I imagine this would be placed with all the other similar cases (DeCSS, etc), but it wouldn't constitute identity fraud. If the user agent string is seen as the password, then that is the weakest security system I've ever seen.
I haven't actually kept up with how AT&T apparently fixed it, but it seems that a rational response to this would be to make users authenticate with their own password BEFORE it spits out information like an email address. If you don someone's userid but have no password (or session id token, etc), I'd suggest that's impersonation, but not identity theft or fraud. If we're going to criminalize impersonation, I guess the Saturday Night Live cast needs to find a new career.
That said, I totally understand why weev contacted reporters and not AT&T. We're in an age where contacting large corporations about security fixes typically results in a gag order on the security researcher and no fix (hi Cisco). By contacting a reporter, he increased the chance that the story would get out and AT&T would fix the issue.
Finally, a lot of people have suggested that weev "deserved" to go to jail for other things he's done. I'm not denying he's a troll, and he has done some over the top things. However, it's not illegal to be a troll, and while one might say he should be in jail for other things he has done, he is currently in jail for this. IMHO, the punishment not only outweighs the crime, but in conjunction with the other abuses of CFAA prosecution we've seen lately (such as Aaron Swartz), I think it's time we stop allowing the government to use poster children like weev as punching bags for obvious career boosting agendas.