Expose A Blatant Security Hole In AT&T's Servers, Get 3.5 Years In Jail
from the now-the-holes-will-be-open-longer dept
We've written a few times about the case of Andrew Auernheimer, perhaps better known as weev. While he has a bit of a reputation as an online troll, and self-admitted jerk, his case is yet another example of how ridiculously broken the CFAA (Computer Fraud and Abuse Act) remains. In this case, what he did was expose a pretty blatant security hole in AT&T's servers, that allowed anyone to go in and find the emails of any AT&T iPad owner, merely by incrementing the user ID. This isn't a malicious "hack." It's barely a "hack" at all. This isn't "breaking in." This is just exploring a totally broken system. To call attention to this, weev collected information on a bunch of famous folks who had iPads and alerted the press. This is what security folks do all the time. And for his troubles in helping AT&T discover and close a pretty bad security hole, he's been sentenced to 41 months in prison plus he has to pay $73,000 to AT&T. One hopes AT&T will use it to hire half a decent security person or something.The sentencing, by the way, was near the top of the "guidelines" the judge had, for those who insisted that the courts in other CFAA cases, such as Aaron Swartz's might be lenient.
Plenty of people -- especially in the security community, are realizing what a ridiculous ruling this is and how dangerous it is. As people are starting to point out, while he may be a jerk, that doesn't mean he's a criminal. The prosecution used chat logs in which Auernheimer and a friend, Daniel Spitler, discussed the effort, and the fact that they talked about harming AT&T's reputation and promoting themselves as security experts. I don't see how that leads to any criminal activity though. AT&T's reputation should be tarnished for having crap security. And why wouldn't some researchers talk about using the discovery of a really bad privacy hole by a major corporation to boost their own credentials. Pretty much anyone in their shoes would reasonably think the same thing.
Prosecutors, of course, played up Auernheimer's history of being a jerk, but that alone has little to do with his actions here:
"His entire adult life has been dedicated to taking advantage of others, using his computer expertise to violate others' privacy, to embarrass others, to build his reputation on the backs of those less skilled than he," wrote U.S. Attorney Paul Fishman, who went on to note the "atypical recalcitrance by the defendant to conform to the laws regarding unauthorized computer access."While that may be true, none of that, by itself, is illegal. And the actions that exposed a glaring hole put in place by bad programmers at AT&T shouldn't be either.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: andrew auernheimer, cfaa, hacking, jailtime, research, security, weev
Companies: at&t
Reader Comments
Subscribe: RSS
View by: Time | Thread
Expose stupidity, go to jail.
Expose duplicity, go to jail.
Expose the destruction of citizens freedoms, go to jail.
Destroy the economy, get handed lots of cash.
[ link to this | view in chronology ]
Re: Then again
Act like a jerk for many years
Build a reputation for being a real asshole
Piss off a lot of innocent people
Actively make enemies whenever possible
Openly defy anybody to do anything about it
...and first chance you give them an opening to take a shot at you, what else can realistically expect? Build up a big enough negative balance in your "payback account" and sooner or later somebody will call in the loan.
[ link to this | view in chronology ]
Re: Re: So what?
[ link to this | view in chronology ]
Re: Re: Re: So what?
If it was, my entire condominium board would be serving life sentences.
[ link to this | view in chronology ]
Re: Re: Re: So what?
And I am guessing the judge thought the same thing.
[ link to this | view in chronology ]
Re: Re: Re: Re: So what?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: So what?
> or a psychologist with 10 degrees of study
> on the human psyche.
Well, if this was the one time he wasn't acting with ill intent, then he has only himself to blame for creating that expectation in others with his lifetime history of assholery.
[ link to this | view in chronology ]
Re: Re: Then again
Um, maybe to act like adults and use some sort of discretion and judgement? Trust me, I wish I could send every asshole I came across to jail, but that's not how it works - for us normal folks, at least.
[ link to this | view in chronology ]
Re: Re: Re: Then again
Of course, that sentence should be shared between him and the board of AT&T for allowing crap like that to happen and then playing innocent victim when it does.
I think the only real victims in all of this were the AT&T customers who had their private communication splashed around the internet.
[ link to this | view in chronology ]
Re: Re: Then again
[ link to this | view in chronology ]
Re: Re: Then again
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Since this has obviously never happened anywhere else in the known universe, we can all share our total disgust with everything that the present administration has done and is going to do. Obviously the GOP is much better and this would not have happened if they were in control of everything.
.... /s jic
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
The administration SHOULD ABSOLUTELY be taken to task for failure to do what they said was a priority. Arguing that the GOP would not do any better is a pseudo strawman argument.
[ link to this | view in chronology ]
Re: Re: Re:
Check out who did the actual OKs on the prosecution.
Odds are they're Republicans or Republican appointees.
[ link to this | view in chronology ]
Your Jung is showing.
Attempting to blame it on anyone is is just dishonest.
You've got an obvious cognitive dissonance brewing there. There's a truth to this situation you're not willing to face.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
The Guardian hacked me like this
I'm not so stupid as to allocate sequential IDs, and we had alerts in place for suspicious activity, because a lot of people try to obtain information by modifying URLs. I think some of the major ESP hacks were done like this.
But it turned out there was a pattern to our IDs that could be guessed and if you made a few calls per hour per IP then you could very slowly syphon out data. I think the journalist made about 5 calls and then stopped, which was just under the threshold for alerting.
When this turned up in an online article that tried to embarass one of my clients (with no prior warning that I'm aware of, and I *would* have been told) we rapidly patched the issue by making the IDs much more sparse.
We didn't dream of contacting the police, the Guardian didn't contact us, and basically I was happy that the security hole was fixed.
BTW we also went through our logs and nobody else was trying the same attack. Some people trying high-volume attacks, of course, but they'd already been blocked automatically.
I suspect my experience is much more typical of what usually happens.
[ link to this | view in chronology ]
Re: The Guardian hacked me like this
[ link to this | view in chronology ]
Re: The Guardian hacked me like this
We didn't dream of contacting the police, the Guardian didn't contact us, and basically I was happy that the security hole was fixed.
No it wasn't. You just made it somewhat harder to guess the IDs. You're still relying on security by obscurity, you just increased the obscurity.
[ link to this | view in chronology ]
Bad idea
Basically, a guy finds a flaw in a website, and reveals it (after being slightly nefarious to show that it's an issue and get it publicity).
For bringing it to the attention of the public, he gets punished.
If he had kept it secret and just leaked the information without revealing himself, which he could have done, the security hole may not have been notified to AT&T.
Basically it means that amateur security people will no longer find these holes in large corporations, meaning people who want to exploit them for personal gain will have a much easier time of keeping them secret or finding them first.
Resulting in a LESS secure system, due to laws which are supposed to improve security.
If your law against hacking results in hacking being driven more underground and people NOT revealing security flaws they find, you're doing it wrong.
[ link to this | view in chronology ]
Re: Bad idea
Too often we punish the people who are trying to help us because of ego.
[ link to this | view in chronology ]
Re: Re: Bad idea
[ link to this | view in chronology ]
Re: Re: Re: Bad idea
[ link to this | view in chronology ]
Re: Bad idea
Yep. Since companies generally don't suffer any kind of punishment for security breaches, they don't have much incentive to fix or prevent them - unless they become very public knowledge. Therefore, they would rather punish and silence security people so they don't have to spend the money to fix their problems.
[ link to this | view in chronology ]
Et tu
Funny how this quote could, with minor grammatical modifications, be applied to the "victim", AT&T...
[ link to this | view in chronology ]
Re: Et tu
[ link to this | view in chronology ]
Reminds me of a book about the government being wrong and you being right and how dangerous that is.
Here is another case where jury nullification is required to be put in action.
[ link to this | view in chronology ]
Re:
Who gets screened out? The ignorant and the honest.
[ link to this | view in chronology ]
Re: Re:
Yeah, I know. Whenever I was asked that question in selection I lied and said 'yes'. People are the easiest system to 'hack'.
[ link to this | view in chronology ]
Re: Re:
I kinda wish they would have a three strikes and you're out program for jury selection nationwide. California has the one strike and your out, which the jury administrators hate but which works so well for me.
Being an Engineer/Scientist, and a Libertarian, the only way I ever get selected on a jury is when the lawyers aren't paying attention (or are planning to plead guilty anyway.) Usually I am challenged, sometimes the first challenged in a jury pool. I always feel like the nerd on the playground...nobody wants me for their jury, but yet they keep calling me in (because I show up knowing that it is a privilege to do so.) In the 21 times I've been called in for jury duty, the three or four dozen cases, I've sat on two juries (both in which I played a limited role.) I don't know why the courts hate engineers and libertarians so much, but it seems like they think those people have already made up their minds, unlike school teachers and philosophers.
It was nice when California chose the one day, one trial system. At least I don't have to keep coming back to be rejected...
[ link to this | view in chronology ]
Re: Re: Re:
So why don't the lawyers who expect to lose want to throw in a wild card to improve their chances? I think it's because they don't understand probability and can't evaluate situations dispassionately.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Yeah, but it is always fun when it backfires on them. I know a couple school teachers that can never sit on another jury because they were part of a "deadlocked" jury. If there is one thing that gets you removed quicker than an Engineer or libertarian, it is someone who sat on a jury that deadlocked.
So why don't the lawyers who expect to lose want to throw in a wild card to improve their chances? I think it's because they don't understand probability and can't evaluate situations dispassionately.
I guess that makes me feel better...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Instead, collect the names and email addresses of as many users as you can and sell them to a marketing firm.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
As someone who has exposed stuff in the past, be wary of the job offer or the bribe. If you aren't a member of the establishment, taking a job offer or a bribe may be seen as extortion.
I had one company that wanted to pay me off to make me go away and stop bothering them. I had no problem "working with them" but my personal beliefs and the attitudes of my then current employer steered me away from taking any money from them. After working with them for a while, I got the impression from one of their engineers that the company was kinda hoping that I would have taken the money so that they could have had me prosecuted/fired from my job.
[ link to this | view in chronology ]
No good deed goes unpunished
[ link to this | view in chronology ]
Re: Wolfie
[ link to this | view in chronology ]
Meanwhile...
...in Serbia.
What did the DPC have to say about the hacking?
and
When did things get so out of hand, here in America?
[ link to this | view in chronology ]
Re: Meanwhile...
It's the slanted opinion of a "hacker" and "cybersecurity". A "hacker" must have done it. "Hackers" are evil. We don't want "hackers" in our system. Throw the book at this "hacker" rather than fix any security issues. I mean it's worked until now right? So only a "hacker" can cause problems.
[ link to this | view in chronology ]
where they need to be careful is that when someone finds something that could prevent a national disaster keeps quiet for fear of those that should have found the information being so pissed that they charge the finder and jail him rather than admit to their own failings, just to save face!
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re: Uuuuhh...
Computer Fraud and Abuse Act - Wikipedia, the free encyclopedia
en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_ActShareThe Computer Fraud and Abuse Act of 1984 (CFAA) was intended to reduce cracking of computer systems and to address federal computer-related offenses.
[ link to this | view in chronology ]
he did not get on the phone to AT&T's security department and disclose it. But exploited it, got a bunch of information from that exploit and that is the main illegal thing he did. Try to down play that if you like, but facts are facts.
[ link to this | view in chronology ]
Re:
It might be a better thing to call them and explain the situation but there is no legal reason to do it.
That is unless you reside within America and have the audacity to point out the Emperor and his minions are wearing no clothes and shout it out in public.
As for the character assassination that the prosecutor brought to bear in court, I'm amazed that the US legal system allows character in ANY criminal trial because no where else does since it bears no relevance whatsoever to the instance of the alleged action(s) in the matter at hand. And no not even to mens rae.
Though I'm not surprised at the sentencing, it was about 'cyber' attacking one of the USA's (all the way) darlings of industry who could in no way shape nor form be negligent ever in their upholding of security and their customer information. Well the rest of the world knows they are negligent, but consumer privacy laws only ever apply when it happens to a company it seems in the USA.
I'm amazed he didn't get the chair
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
that is also a criminal act, to deliberately harm a company is called industrial espionage or sabotage, you don't have to be connected to a competing company to be guilty of seeking to wilfully damage a company.
[ link to this | view in chronology ]
Re:
Jailing someone for discovering a security hole and making it public will have obvious chilling effects. This is plainly an overreaching application of the CFAA.
[ link to this | view in chronology ]
Re: Re:
I for one will be happy to help out in this respect.
US companies are not going to be happy if that occurs, and neither will the US Government, Also less people will feel that there is any ethical obligation to telling the company first and instead just publish anonymously (or via proxy as above) and do more harm to the company. Which sometimes isn't a bad thing
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Yes, but the problem is, unless you exploit the flaw, the company will just say it is a theoretical flaw that has no practical implications and thus is not worth their time and effort to fix. Been there, done that.
Not that this gentleman did the right thing, but in some cases, the only way to show that the flaw is real and is something they need to fix is to show them how easy it is to exploit and what the damages are.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Your analogy can only hold so far, because while your home's security flaws affect only you and your family, while AT&T's affect millions of people.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Yeah, what he said.
Though I'd note that you have absolutely no requirement, contractually or legally, to not ignore your neighbors warning. If the alarm company or the police ignore the warning, than that is their problem. However, just like everything else including being a hero or saving someone's life, if you don't want to get involved there is nothing legally or contractually required for you to get involved. Most police departments *don't* want you to get involved, unless it is to call them and let them know that the alarm is going off.
However, if you were to point out a weakness in the alarm system installed in everyone's homes, I'd prefer to know it so I can make the necessary changes instead of being blissfully unaware of the problem and unable to fix it.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re:
Normally, I'd agree with you.
But my statement remains, that in some cases pointing out the problem isn't enough. People pointed out that the world trade center was vulnerable to airplane strikes before 9/11. People also pointed out that O-Rings were failing on the Shuttle Rocket Boosters before the Challenger incident, or pointing out that the foam used on the shuttle was tearing tiles off the shuttle before the Columbia incident. Unfortunately, in some cases, the only way to get someone to do something is when tragedy strikes. From personal experience, there were a number of times that the companies I exposed problems for ignored me until I pointed it out, along with exploit code (even after I responsibly disclosed the issue to them ahead of time.)
Entering and copying files was totally unnecessary and what landed this douche in prison.
And I totally agree, though the jury is still out as to whether this, or something else, landed this douche in prison.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re:
Thanks, I appreciate the clarification.
Let's make it a college dorm or the Empire State Building. It is the same theory. Size does not confer the right to enter the premises of another and to copy files.
Well, then the analogy starts failing because he didn't actually break in, he just found some web pages that someone was hoping nobody would find. But even if he had circumvented their security measures to get that information, it still wouldn't be a perfect analogy (there is no such thing), just in case you want to go there. :-) Any time someone says "this wouldn't be OK if it was a physical thing so it's not OK on a computer either" there is a good chance that's a flawed argument, because physical and digital are different.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
As for Industrial espionage and/or sabotage, you really need to read more to understand how totally ignorant and stupid you appear.
Oh and in the USA 'security experts' are everywhere, there are no standardised qualifications and professionally and personally I would state he has more ability to call himself a security person than most of the so called network/database admins at AT&T do.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
THAT is what this guy is being punished for, not just for finding the security hole.
I hate that every article about this guy makes it out like he was an innocent "security researcher," when he was anything but. He was looking to do damage, and that's what he did.
[ link to this | view in chronology ]
Re: Re: Re:
"The specific information exposed in the breach included subscribers' email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T's network, known as the ICC-ID. ICC-ID stands for integrated circuit card identifier and is used to identify the SIM cards that associate a mobile device with a particular subscriber."
Much more tame than spreading credit card numbers. Not that I agree with his technique, but three and a half years for publicizing some email addresses seems awfully severe.
[ link to this | view in chronology ]
Translation: Normally our intimidation proves effective before reaching this point and the individual being pilloried has long since given up all signs of struggling against the fate we determined for them.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
That's how you do it. You don't enter through an unlocked door, take whatever you want and crow to the media in an attempt to aggrandize yourself or embarrass a company. That is exploitation; pure and simple. You do not have the right to enter a poorly secured computer network, any more than you have the right to enter my house through my oversized dog door. And once you enter my house, you have no right to go into my file cabinet and start copying my files.
The fact that this guy is also an asshole is on him. Judges are free to sentence within the guidelines. Sounds like the court got this one right.
[ link to this | view in chronology ]
Re: Dead on
[ link to this | view in chronology ]
Re:
A better analogy is a garage sale where one table is marked "free". If the seller accidently puts items on that table and someone takes them, whose fault is it? Did that person "steal" or "trespass"? Of course not.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Anonymous Coward, Mar 19th, 2013 @ 5:43am
[ link to this | view in chronology ]
One major problem
[ link to this | view in chronology ]
Sounds familiar
vs
His entire adult life has been dedicated to taking advantage of others, using his computer expertise to violate others' privacy, to embarrass others, to build his reputation on the backs of those less skilled than he
If you are a jerk with legal expertise you get to be a US Attorney, if you are a jerk with computer expertise, the other jerks will take you down.
[ link to this | view in chronology ]
The chat logs show other intent
Moral: don't go screwing around with websites, especially when they a) have something to do with America's favorite white plastic vendor and b) your results include government officials. Another good practice would be to ensure that one doesn't be a douche to everyone they come across. People love watching douches get their comeuppance. I remind you all of Prenda.
weev is no Aaron Swartz.
[ link to this | view in chronology ]
Re: The chat logs show other intent
Moral: don't go screwing around with websites, especially when they a) have something to do with America's favorite white plastic vendor and b) your results include government officials. Another good practice would be to ensure that one doesn't be a douche to everyone they come across. People love watching douches get their comeuppance. I remind you all of Prenda.
weev is no Aaron Swartz.
But that won't stop Masnick from depicting the guy as an honorable, noble victim of a cruel, vindictive criminal justice system.
[ link to this | view in chronology ]
Re: Re: The chat logs show other intent
But Mike seems more concerned with the chilling effects related to jailing someone for finding a security flaw, rather than defending Weev.
[ link to this | view in chronology ]
Re: Re: Re: The chat logs show other intent
Specifically, this case wasn't about finding the flaw. It was what he did after discovering the problem and what he did with the information afterwards. Finding the flaw and sending security(at)att.com and/or webmaster(at)att.com an email would not have landed him in court. Finding the flaw and going straight to Gawker with the entire scraped data-set did.
Once the flaw was found, one or two records would have been sufficient for a Proof of Concept to be handed to the appropriate parties. Taking every single entry is indefensible and not needed to get the issue resolved.
[ link to this | view in chronology ]
The RICO principle.
It doesn't matter.
This is how bad precedents start. You start with a victim that's easy to demonize. You use that to help generate public outrage or at least apathy. You use that to distract from how you are abusing the Law.
This "hack" was about as sophisticated as manually jumping to a particular TechDirt article. Making something like that a felony is far more of a problem than tolerating genuine evil (as opposed to a mere jerk).
[ link to this | view in chronology ]
Re: The RICO principle.
As I said, there are plenty of security professionals and amateurs finding and reporting flaws every day. Very few - if any, and definitely none that I'm aware of, are prosecuted if they behave as described in my previous post.
[ link to this | view in chronology ]
Re: Re: The RICO principle.
I see what you're saying, but in this case in a very real way he was doing nothing but disclosing publicly available information. He didn't have to bypass any security measures at all to get this data. If he got to the pages he found by following a link on AT&T's web site, anybody would agree that would be purely on AT&T's shoulders. Why is it a felony when he does it by typing in the URL instead?
There was clearly malice involved in this act.
Even if true, just because something was malicious doesn't make it illegal. At least I hope the CFAA isn't written THAT badly.
[ link to this | view in chronology ]
Re: Re: Re: The RICO principle.
[ link to this | view in chronology ]
Re: Re: Re: Re: The RICO principle.
Obviously the court agreed with you. To me, the fact that the information was on a publicly available web page with no security measures protecting it means you could at least make an argument that access was implicitly authorized. Kind of like looking into someone's back yard from the sidewalk when they haven't put up a fence. They haven't invited you to look, but they haven't done anything to indicate they don't want you to, either. AT&T didn't take any steps to ensure the public didn't look at this data, they just didn't take any pains to make sure it was obviously available. It's just a little scary to me to put someone in jail for 41 months for this. If anyone should be in trouble, it's AT&T, in my opinion.
[ link to this | view in chronology ]
Enormously stupid
It would actually be interesting to read the privacy policy and see what "reasonable security measures" AT&T agrees to and is liable for. I am almost certain passing a password in the URL would amount to gross neglect on account of the service provider, and personal identification should be treated no differently.
A long time ago, on an IRC channel, a Yahoo server was hacked, and the details were shared amongst all people on the channel. Some of them immediately dug into the MySQL records, some went after log files... I looked up /etc/passwd, got a phone number from there and dialed it. It was a Sunday afternoon, and I got some Yahoo employee. I shared all the details of the hack, my information in case he wants to talk, and hung up. The system was taken offline, restored, and I got an email from the guy saying "Thank you".
What the hell has happened between now and then?
p.s: I am not a jerk... but that certainly can't have any bearing on what transpired, right?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
If I ever have kids, I may have a tough time teaching them to respect the law for any purpose other than self-preservation. It's a shame.
[ link to this | view in chronology ]
Re:
Do you honestly think that applies here? This guy was looking to harm AT&T, not trying to be a white hat.
In the larger sense, yes - I agree. Whistle blowers often get the shaft, and the legal system does often protect the rich far more than the innocent.
[ link to this | view in chronology ]
Remember, it's a JURY trial
I've been on a few jury panels (never actually been a juror), and it seems that the people picked are the ones who know little about a case. Anyone with computer knowledge will be excused by the prosecutor. Anyone with law enforcement ties is excused by the defense.
The goal seems to be to get a group of 12 people who know absolutely nothing about the subject matter of the case.
It's not really a wonder that people are convicted of CF&A violations when they're often just exploring potential bugs out of a sense of curiosity or even being security-minded.
[ link to this | view in chronology ]
Oh please....
[ link to this | view in chronology ]
I know of a few small security holes for some file lockers and one very evil one which I'd never even report just because of fear.
I also know of a small one on Hulu having to do with their AD services which I told them and nobody else but needless to say it's 3 years later and it's still not fixed.
I would not even consider myself a hacker I'm just a curious mother fucker and sometimes I see something that just looks like it could be abused. I don't look to embarrass a company though, shit these days I would not even tell them when the thanks could possibly be prison.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Violating Others Privacy IS A CRIME
[ link to this | view in chronology ]
Come on people
[ link to this | view in chronology ]
Or as I like to call it, standard operating procedure.
[ link to this | view in chronology ]
Expose A Blatant Security Hole
[ link to this | view in chronology ]
While their busy imprisoning those who find security flaws, and inform the people with that security flaw, for the purpose of them patching it, so any people/customers involved are that little bit secure...........the others looking for security flaws, to benfit through less then moral reasons, can keep using the same flaw, for god know how long, because the person who may have dicovered it, is in prison.
Anyone involved in pushing this through putting this guy away, should be held accountable for any future hacks.........oh im sorry, did you just say "but they've got nothing to do with it"
A) one, they are, if their actions prevented a patch
B) THIS guy, is'nt commiting a serious crime, more of a public service
[ link to this | view in chronology ]
Re:
Then distributed that list.
This was NOT an innocent security researcher.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Quick, get him on the ticket
Sounds like every politician on earth!
[ link to this | view in chronology ]
makes you wonder
[ link to this | view in chronology ]
insanity
1) so few of the commentators care at all about the actual facts of the case--they have already decided (wrongly) that there was no evidence of weev's own malicious commercial self-interest. But there was substantial evidence presented at trial that he was not trying to "expose a security hole." So any story that bends the facts this way is starting from a wrong premise. The government convincingly (to the judge and jury) showed that he was trying to profit from his access to this information;
2) the very premise of the story--that what weev did was "expose a blatant security hole"--makes no sense on the surface. 10 or 100 email addresses would have sufficed to make that point and would have been very unlikely to produce this prosecution. 120,000 email addresses is prima facie evidence that he intended to do something far beyond "exposing a security hole";
3) from reading biographical stories about weev, it seems entirely likely that he had done this sort of thing before to his own significant profit--he had a lot of money of unclear origin;
4) to the commentator who compared this to looking into your neighbor's unfenced yard--that is both a frightening misunderstanding of privacy, and wrong, in that if I write down your account number on a piece of mail that I can see from the street, and then give that information to somebody else or have the intent--even the INTENT--to use it to my own profit, the fact that it was "visible" is irrelevant. It is stealing something to which I have no right--and it's stealing EVEN THOUGH I may have left the original document where it was.
Anyone who thinks weev is a freedom fighter is reading the wrong dictionary and the wrong law code, and that so many people do (on SUCH flimsy evidence and poor reading of the actual news stories) SHOULD concern law enforcement--and those of you who portray him as a freedom fighter are ensuring that crackdown is even harsher. This sight is amazingly blinkered, but this story is exceptional even by those standards. I know it's cool to love the outlaw, whatevs, but if you love the outlaw because they break the law, you don't then get to ask for the system to go easy on them too.
[ link to this | view in chronology ]
Re: insanity
What law exactly would that violate? And who do you think the victim should be angry with, the perpetrator, or the company that puts sensitive information on the outside of his mail, or the post office for leaving his mail out where anyone can see it, or all of them? I'm not claiming weev is innocent of wrongdoing, I'm questioning whether a 41 month prison sentence is appropriate. If he had done the exact same thing with information he found in a trash can, would he have gotten the same sentence? Or is this different because it was "on the internet"?
[ link to this | view in chronology ]