The DOJ's Insane Argument Against Weev: He's A Felon Because He Broke The Rules We Made Up
from the bad-news-all-around dept
We've covered the lawsuit against Andrew "weev" Auernheimer, in which the feds pushed criminal charges against him under the Computer Fraud and Abuse Act (CFAA) for discovering a massive (and ridiculous) security hole in the way AT&T set up the iPad. Basically, they saw that AT&T handed out iPad IDs in numerical order, and then left the website open, allowing him (and a partner) to just increment by number and get back email addresses on everyone who owned an iPad. The feds seemed to argue that this was some nefarious evil hack, and Auernheimer was sentenced to 41 months in prison and has to pay $73,000 to AT&T (roughly the cost it took AT&T to inform its customers of its own bone-headed lack of security). So much about this case is ridiculous, and it's complicated by the fact that nearly everyone agrees that weev is a world-class jerk. But, you need to separate that out from the details of what he did here, to note that it was nothing particularly special, and it involved the sort of thing that security researcers do all the time, and which all sorts of non-security researchers do quite often.Auernheimer is appealing, and the DOJ filed its brief a week and a half ago. It took me until this weekend to finally have the time to dig into the full 133 pages, to realize just how ridiculous the whole thing is. Tim Lee, over at The Switch has a great explanation of what's going on here aimed at less technologically savvy folks. Meanwhile, Robert Graham has an equally fantastic writeup for the slightly more technically savvy world over at Errata Security.
We'll dig into some of the details in a bit, but as Graham points out, the feds somewhat obnoxiously nearly doubled the word limit imposed by the Third Circuit (the brief is 26,495, but the court only allows 14,000 as an upper limit). This is ridiculously unfair, because it lets the DOJ go on, at length, making claims that are almost wholly untrue, and at times ridiculous, while weev's lawyers were hamstrung in limiting what they could put in their own brief. Welcome to the criminal justice system where the DOJ still seems to think it gets to play by its own rules.
And, really, that's the most ridiculous part of all of this, because while the DOJ wants to play by its own rules, nearly its entire argument against Auernheimer is that he "didn't play by the rules" where "the rules" it's talking about aren't actual rules at all, but rather what the DOJ makes up in the minds of some clearly technologically-illiterate lawyers.
The short version is that the government's case is quite scary in the way it portrays weev's actions -- such that it could easily criminalize all sorts of things. For example, it goes on about changing the user-agent, as if this is some awful thing and a form of "lying."
Spitler changed the user agent in his Account Slurper program in order to trick the servers into thinking that he was using an iPad.... He “lied to the AT&T servers” in order to get the information.... Spitler gathered this information without asking for permission from AT&T or from any of the iPad users that he was impersonating.... AT&T did not design its system to allow these email addresses to be made public.There are so many problems with this. First, there are no hard and fast rules about user-agents that suggest this sort of thing is breaking the law. As both Graham and Lee point out, if "faking" the user-agent is a form of "lying," nearly every browser does that and has for years. That's because years ago, Microsoft added "Mozilla" to its user-agent since many websites optimized for different browsers, and Microsoft wanted servers to believe it was competitor Netscape, which many sites had designed to be nicer. So pretty much all browsers "lie." Hell, for many years I've personally used "user agent switcher," a plugin for browsers, to change my browser user agent at times, mostly for simple testing on certain websites, and sometimes for reporting purposes (to see how different sites provide different info to different browsers). I never thought I was "lying" or coming close to committing a crime. It's just a bit of info a browser, or other piece of software, sends to a server to get information returned.
Similarly, the idea that AT&T "did not design its system to allow these email addresses to be made public" is simply, empirically, false. If they hadn't designed it that way, then weev and his partner wouldn't have been able to access it the way they did. The problem was clearly AT&T totally failed to lock down this system. Furthermore, they didn't need to "ask permission" because they sent a request to the server and the server answered. If they didn't have permission, the server would have rejected the request. It didn't. The problem was very clearly AT&T's. To charge weev with criminal charges for this is really insane.
Changing the user agent isn't breaking any "rules" -- except in the mind of the DOJ.
The DOJ really stretches to try to paint the actions by Auernheimer's partner as some masterful "hack" when the details suggest otherwise. The brief goes on at length about all the "steps" that Daniel Spitler had to go through to get access to the information, but most of the "steps" are ridiculously padded, because they have nothing to do with the "hack" itself, but were merely about Spitler trying to setup his computer to act like an iPad. That might sound odd and involved to the clueless lawyers at the DOJ, but this sort of thing is done all the freaking time by security researchers. That's how they can more easily test stuff out, by getting their computers to act like other machines. In theory, I guess, Spitler could have done the whole thing via an iPad, but what's the point? The whole idea was, in part, looking for security vulnerabilities. The fact that it took Spitler a bit of time and effort to get his computer to emulate an iPad has nothing to do with the scanning itself, but the DOJ uses it as if it shows how "difficult" AT&T made it to find these emails. That's wrong. AT&T made it quite easy to find the emails. The fact that Spitler had some trouble getting a computer to emulate an iPad is a totally separate issue.
From there, the DOJ starts playing dirty, pretending that because judicial law clerks can't find the same kind of security hole, it somehow means that Spitler and Auernheimer were up to no good:
If an ordinary, but reasonably sophisticated computer user, like a typical judicial law clerk, had been assigned the task of compiling a list of e-mail addresses of iPad users available on AT&T’s servers, he almost certainly would not have been able to duplicate what Spitler did. The law clerk would likely go to AT&T’s website and search in vain for any links or other means to access this information. No hyperlinks or search engine requests would have produced the desired results.This is really obnoxious. The US Attorneys working on this case know that a judicial law clerk is going to make the key call on this case, and this is a way to flatter those law clerks, claiming that they're "sophisticated computer users." But a "sophisticated computer user" is quite different from a security researcher or a higher level technically proficient user. The fact that they couldn't find this info via a search engine is meaningless. No one is arguing that the info was available via search -- but rather that it was incredibly wide open because of a security hole, and yes, you'd need some level of technical proficiency to figure it out, but as far as I know there's no law making it illegal to be more technically proficient than a law clerk.
Later, the DOJ argues that using the ICC-ID number, which AT&T assigned incrementally is the equivalent of using a password. They're apparently not joking:
The argument that the ICC-ID “is not a password,” begs the question of what counts as a “password.” Wikipedia defines a “password” as “a secret word or string of characters used for user authentication to prove identity or access approval to gain access to a resource (example: an access code is a type of password), which should be kept secret from those not allowed access.”... MK makes the facile argument that an ICC-ID is not a password because it is frequently printed on the outside of phone packaging, and thus is not secret. But that cannot be correct. Combinations to locks are often printed on the packaging, but the combination nevertheless is the secret “password” that opens the lock. Openness to the public prior to purchase is irrelevant, because after purchase the combination becomes the owner’s secret. So too with an ICC-ID. Once a phone or other device using an ICC-ID is purchased, no one can easily learn the ICC-ID unless he or she actually possesses it.Try not to guffaw. Yes, even though the ICC-ID is just an incremental number, permanently stuck to a device, and is permanently printed on the device, the DOJ is insisting that it's still just like a password. The fact that combinations are printed on packaging is meaningless, because it's not meant to be left on the lock. Furthermore, this totally ignores the fact that the ICC-IDs were incremental. If AT&T had intended them to be secret, rule number one would have been to use a system that you couldn't guess others accounts merely by adding one. And it gets worse:
An ICC-ID, unlike a password, is a unique identifier. In that regard, when it is used to gain access to a server, it can be even more secure than a password chosen by a user, which frequently can be guessed. Certainly a 19 or 20 digit ICC-ID is harder to guess using brute force than a typical four-digit ATM access code, misuse of which would certainly constitute a CFAA violation.Except, uh, that's not how an ATM card password works (and, yes, ATM cards are not particularly secure). You don't put your ATM card into a machine and it automatically reads the code off the card and lets you into your account. That is, the PIN code is designed to be separate from the card, with the idea being that to get into your account you need both something physical and something in your head. The ICC-ID isn't like that. It was designed to let the user automatically access their account without a password. There wasn't that second "thing in your head" that makes a password a password.
From there, the DOJ tries to attack the fact that the "hack" was merely adjusting the URL incrementally to access each account. It does this by arguing that because SQL injection attacks can happen via a URL, therefore any "hack" via a URL can be a malicious hack.
For example, Albert Gonzalez was the mastermind of a credit card theft ring responsible for reselling more than 170 million credit card and ATM numbers from 2005 through 2007, the largest such fraud in history.... Gonzalez’s ring used what is known as an SQL injection attack, which can be performed by entering an “address” in a URL or entering data in publicly facing web forms. In many common SQL injection attacks, the challenge for the hackers is to determine the correct characters to send to the network’s database storing the data the attacker intends to exfiltrate. However, once the vulnerability is determined and the appropriate combination of characters is discovered, many SQL injection attacks can be reduced to a URL because malicious code entered into a form field in a website is often delivered to the victim’s network from the attacker’s computer in the form of a URL that includes within it the malicious string.But, an SQL injection attack is very very different than merely incrementing a number in a URL. Yet, the DOJ wants to equate the two. That's crazy. It goes on to try to link the two things much more closely:
And the result of these attacks, like the result in SQL injections, is that the browser returns unauthorized data from a database. An SQL injection attack is among the most dangerous and notorious hacks used today...Sure, an SQL injection attack can be "dangerous and notorious," but that's because it's entirely different than incrementing a number. An SQL injection to gain much more power over an entire server is not the same as just flipping through pages that are easily available. The attempt to link the two is crazy, but certainly could be used to mislead a less technically savvy "law clerk," for example.
Later, the DOJ further argues Auernheimer and Spitler were guilty of bad things because they didn't contact AT&T, but rather purposely chose to go to the press (specifically, Gawker) to publicize the discovery of the security vulnerability. While it's true that it's common to alert a company ahead of time, the fact that they didn't do this is kind of meaningless here. If they were really up to no good, they wouldn't have publicized the vulnerability at all. Yes, they sought to "benefit" from it: they wanted to use it to get attention for their security work at Goatse Security. But using the discovery of a security vulnerability to help get attention for their own security research operation doesn't seem like evidence of nefarious intent. In fact, it seems like exactly the opposite. Then there's this craziness:
The groups of security researchers and computer professionals who have filed amicus briefs in this case need not be troubled by this prosecution of this black hat hacker. Major technology companies today – Microsoft, Google, Facebook, PayPal, and Mozilla, to name a few – all pay bounties to white hat hackers who find flaws in their systems and thereby help keep them secure. The Government is not aware of any instance in which a security researcher who followed the rules of ethical hacking was prosecuted for violating the CFAA. Often, when a white hat hacker discovers and reports a security flaw, he is rewarded financially for his work by the company that he has hacked. But no one, not even a white hat hacker, gets to make his own rules.Except, as Graham notes, the list above is the entire list of tech companies who pay bounties to white hat hackers. Most tech companies don't do that, including... AT&T. Furthermore, Graham highlights this wacky line: "The Government is not aware of any instance in which a security researcher who followed the rules of ethical hacking was prosecuted for violating the CFAA." Yes, they're back to their made up "rules." As Graham points out in response:
This is circular logic, saying that people who follow the rules don't break the rules. When the prosecutors make the arbitrary decision that you've violated the CFAA, they'll likewise decide that you don't follow the rules of ethical hacking. Such circular logic is the basis for the prosecutor's entire argument: Weev is a bad guy because he's a bad guy.When that's the way the law is read, you no longer have the rule of law. And that's why the case against Auernheimer is so ridiculous. It only works if the feds get to make up the rules as they go along, and argue that something is wrong, because they say it's wrong.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: andrew auernheimer, authorized access, cfaa, daniel spitler, doj, hacking, security research, user agent, weev
Companies: at&t
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
[ link to this | view in thread ]
Word limit and "rules"
[ link to this | view in thread ]
Re: Word limit and "rules"
[ link to this | view in thread ]
Re: Word limit and "rules"
So you think an appropriate remedy would be to charge the taxpayers?
[ link to this | view in thread ]
Re: Re: Word limit and "rules"
[ link to this | view in thread ]
The name of the company was Goatse Security?
[ link to this | view in thread ]
Did a court document really just cite wikipedia for a definition?
[ link to this | view in thread ]
I guess that makes me a "nefarious evil hack" too. I use this same technique right here on Techdirt when I want to see the first comments a user has ever made, instead of paging thru them all.
For example:
I change the "start=20" to "start=2780" part of this address to see my first comments:
https://www.techdirt.com/comments.php?start=2780&u=gwiz
[ link to this | view in thread ]
Logic Fail
Let's get this straight. Because A and B result in the same thing and B is bad, A must be bad.
Hmmm...
If I put my ATM card into the machine and enter my PIN, money comes out. If I smash the ATM machine with a hammer, money comes out. ATM use = felony.
I'm pretty sure I can make anything bad with this logic.
[ link to this | view in thread ]
Re:
Nothing good can come of that. You should be locked up immediately.
[ link to this | view in thread ]
The DOJ's and mine definition of sophisticated computer users are distant cousins on this one.
Any sophisticated computer user would know to look at the URL to notice patterns, that is basic stuff.
I do it here on Techdirt, since I have scripts disabled I have to look at the source page to read hidden comments and to answer to those I copy "cid=" after I click in any other "reply to this", one day my lazy ass will get to write a proper script to replace all instances of hidden comments with a proper link that I don't need to look up at the source, but this is simple, even download managers take advantage of that and allow people to batch download based on patterns.
e.g.: Downloadthemall have something they call batch descriptors
http://andreamoz.blogspot.com/2008/11/downthemall.html
https://bugs.downthemall.net/ ticket/1943 (Multiple batch descriptors results in downloads of 10000 files)
Is that guy a hacker too?
You can imagine how many people would go to jail for using such things.
This is why I doubt that if those judicial law clerks can't do a simple batch download they could be called "sophisticated".
[ link to this | view in thread ]
"Wikipedia defines a “password” as “a secret word or string of characters used for user authentication to prove identity or access approval"
A password does NOT identify a user, it proves that the identified user is who they say they are.
The ID's used by AT&T are not passwords, they are ID's. To try to pretend those are the same things is just being clueless.
[ link to this | view in thread ]
Kids are kids and what did they did?
They start uploading sexy photos first to create a thumbnail of it and next upload a nasty photo of something, many got goatsed that way.
Kids, eternal source of amusement for me, for the DOJ they all are the source of criminals.
[ link to this | view in thread ]
the rules
The stated purposes do not include: tracking user activity, identifying individuals, authentication.
[ link to this | view in thread ]
All hackers now.
[ link to this | view in thread ]
a unique identifier is surely a username not a password?
[ link to this | view in thread ]
No sale
I'm offended that he gets a full share of our collective oxygen.
The Justice Department used the tax laws to get Capone. If they have to stretch logic to put weev away, I'm for it.
[ link to this | view in thread ]
Re: a unique identifier is surely a username not a password?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Dear DOJ please use the following expressions in Google or Bing or Baidu or whatever to find more criminals like Mr. Weev.
Download manager batch download
Download manager batch download descriptors
Download manager batch download patterns
[ link to this | view in thread ]
Ugh
I also routinely directly edit URLs, because in many idiotic websites, navigating that way is easier than clicking around all the time.
So I guess I'm a criminal too.
[ link to this | view in thread ]
Re:
That's why you see the DOJ referring to judicial law clerks as "reasonably sophisticated computer user"...
[ link to this | view in thread ]
Re: No sale
So you are against the rule of law. I understand. The trouble is that once everyone is OK with law enforcement lying and distorting in order to obtain convictions, they will do so routinely for everyone, not just for people you personally hate.
[ link to this | view in thread ]
Re: No sale
Fair enough. Just remember you stated that when the precedence set by a bad ruling in this case causes you or a loved one to be jailed for mistyping a url in a browser window.
[ link to this | view in thread ]
[ link to this | view in thread ]
Mike's arguments are similary ridiculous
That's irrelevant. If I failed to lock the door, this doesn't mean that it's OK to enter. It doesn't matter that you made a "request" (turned the knob) and door-lock "answered". It's still trespassing.
>> It does this by arguing that because SQL injection attacks can happen via a URL, therefore any "hack" via a URL can be a malicious hack.
Argument here is presented incorrectly. What DOJ tries to tell, is that "mere URL" can be quite dangerous thing, depends on content, like in SQL-injection.
So, like in many other cases it's matter of intent. If this guy is known to be "world-class jerk", he will (probably) have hard time trying to prove that his intentions were harmless.
[ link to this | view in thread ]
Instructables: Tammy's version of the crashed witch in the wall
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: No sale
[ link to this | view in thread ]
Re: Word limit and "rules"
At the very least you'd think a fair judge would simply reject the brief outright and firmly instruct them to resubmit a complying brief with minimal delay.
Too much to hope for?
[ link to this | view in thread ]
Re: Mike's arguments are similary ridiculous
Extremely different. Turning a doorknob is not making a request -- it's physically opening. Sending a URL *is* (literally) making a request to a server to send info back. And that's what happened.
What DOJ tries to tell, is that "mere URL" can be quite dangerous thing, depends on content, like in SQL-injection.
But that's a total misread of weev's argument. A "mere" URL *as presented by the server* and then incremented up or down is quite different than sticking an SQL injection command hidden in a URL.
They're comparing apples and oranges.
[ link to this | view in thread ]
Ugh
[ link to this | view in thread ]
Re: Ugh
[ link to this | view in thread ]
[ link to this | view in thread ]
Oh poor weev
[ link to this | view in thread ]
Re: Re: Ugh
Wrong, it does. It shows intent. You saying that "this wasn't done maliciously", and DOJ arguing otherwise. That's a core of an argument, the rest is technical explanation about what's happened.
Now, going public _can_ be seen as malicious (attack on reputation, for example).
Basically, that's why courts are ruled by judges (or juries) and not by machines - to decide about such fuzzy thing as "intent".
[ link to this | view in thread ]
the really sad thing is that Obama was going to protect 'whistle blowers' and instead just shit on them! and just a few days ago, one of the security agencies wanted people to start spying on neighbours. anyone that did this must be out of their trees! the first ones in jail would be them, while those being spied on would be laughing their bollocks off!!!
[ link to this | view in thread ]
This is a very fundamental misunderstanding of computers. Unfortunately even technologically literate make it all the time. I learned the lesson when I first was learning to write code:
"A computer will always do exactly what you* tell it to do. It will not do what you mean it to do."
It follows your instructions exactly - any mistake it seems to make was the result of an instruction it got and followed as designed. It's another form of the 'you can't blame the tool' argument.
*you is the user, in conjunction with the programmer of the application, and however many other levels of coders and system builders it takes for you to get down to the physical hardware.
[ link to this | view in thread ]
Re: Ugh
[ link to this | view in thread ]
Re: Re: Mike's arguments are similary ridiculous
So, by this logic, if I have a door operated by button it will be different, because pressing the button is "a request"? That's not how criminal justice (supposed to) work.
>> A "mere" URL *as presented by the server* and then ...
I think you have no idea how SQL-injection works. You _also_ take "URL as presented by server" and modify it to your needs. Yes, it's quite different from discussed case, but that's not what is argued. The argument is "just because it's URL it doesn't mean it's harmless"; as one can see slightly modified URL can bring a lot of action.
>> They're comparing apples and oranges.
Comparing apples and oranges is OK if all you need to estimate mass of cargo, for example.
I don't mean that guy did "41-months-in-jail-serious-crime". But, I do mean that DOJ's logic is not "insane".
[ link to this | view in thread ]
Re: Ugh
If anybody that is capable to add numbers could have done it, the problem is not with the people who do it is with the system that allows it.
Now where is the harm caused by the actions of the people involved here? did they do anything malicious? did they defraud anybody?
Nope than there should be no problem, what they did was to expose and make public a security problem, which most of the time is a good thing.
[ link to this | view in thread ]
Re: Re: No sale
If you want to test the limits of the use of this law, I suggest you find a test case that isn't so utterly execrable and despicable.
I believe in the rule of law, but I also believe that there are monsters who would seek refuge therein.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re: No sale
It doesn't matter. He could be satan incarnate, and it would still be a bad idea to "stretch" the law just to provide a bit of retributive "justice". Not because of who he is, but because that kind of "justice" will end up being applied to us all.
[ link to this | view in thread ]
Re: Re: Re: Mike's arguments are similary ridiculous
[ link to this | view in thread ]
Re: Ugh
In case you don't know the difference between those, one involves a locked door and the other an unlocked one. Big difference as there should be.
[ link to this | view in thread ]
First they came for the hackers...
Sir Thomas More: What would you do? Cut a great road through the law to get after the Devil? ... And when the last law was down, and the Devil turned round on you – where would you hide, Roper, the laws all being flat? This country is planted thick with laws from coast to coast, Man's laws, not God's, and if you cut them down – and you're just the man to do it – do you really think you could stand upright in the winds that would blow then? Yes, I give the Devil benefit of law, for my own safety's sake!
(Emphasis mine)
[ link to this | view in thread ]
ICC-IDs
Owners of an iPad 3G must provide an email address, billing address, and a password to complete registration and activate AT&T’s 3G service. When users log-in to the AT&T website for 3G subscribers they must provide that email address and password. AT&T made this process easier by automatically pre-populating the email address on the log-in page. A twenty digit ICC-ID (Integrated Circuit Card Identification) number uniquely identifies the SIM (Subscriber Identity Module) card of any device with cellular network connectivity. The iPad browser’s HTTP request for the log-in page, contained the iPad’s ICC-ID in plain text within the URL. The browser’s “user agent” (a portion of the HTTP header) is one specific to an iPad. When the ATT server received such a request from an apparent iPad it would return the log-in page with the correct email address already supplied as long as the ICC-ID was one that matched a registered user. This feature, that made logging easier, also made it insecure. Note, that the email address is supplied before any authentication is done using a password.
How does one collect email addresses from multiple ICC-IDs? One way is to, sequentially, go through all the potential ICC-IDs and collect the emails received from the relatively few requests that were successful. Of the twenty digits the first two represent the Major Industry Identifier (MII, 89 for telecommunications). The next two are a country code (CC, 01 for the US). The next 1-4 digits are for the issuer, which is Apple in this case. These are not published but every iPad reveals one of them. This leaves 11-14 digits for the account number. The final digit is a check digit for error detection. So, one has to go through, roughly, 100 billion to 100 trillion ICC-IDs to find all the valid ones for Apple iPads. That is a pretty large number. Daniel Spitler wrote a simple PHP script that was colorfully named "the iPad3G Account Slurper", to automate the procedure. The set of valid ICC-IDs are not sequential. After some initial success they were having a problem finding valid ones. They guessed that the iPad 3G used ICC-IDs from different blocks of numbers. The ICC-ID is printed on the SIM, so they guessed these blocks based on Daniel Spitler’s iPad, those of acquaintances, and from public pictures of the iPad 3G shown on Flickr and other photo websites.
An app could have been written for the iPad. Since it would be unlikely such an app would be approved by Apple this would have to done with a jailbroken iPad. Such an app would still need to “spoof” the “user agent” of the browser for the iPad. Another option is to write a script for use on a computer that is not an iPad and, again, utilize a spoofed “user agent”. Whichever approach was taken, the result was that, altogether, approximately 120,000 email address/ICC-ID pairs were collected over a period of several days from June 3, 2010 up to June 8, 2010.
Note that Spitler identified the sub-blocks that Apple used by finding ICC-IDs from pictures of Ipads on Flickr. If the ICC-ID were a password why would people post this number publicly on their Flickr account? Also, the painfully obvious flaw in the DOJ's argument about ICC-IDs being passwords is that a real password was required right after ATT so helpfully filled in the email address in response to a valid ICC-ID.
[ link to this | view in thread ]
Re: Re: Re: No sale
If he managed to destroy lives without breaking the law, then it seems we need a new law.
[ link to this | view in thread ]
Re: the rules
using DoJ's logic: ALL the systems used by the DoJ/US Government and its agencies are illegal and ALL their computer users should be thrown in prison for lying in the user-agent. Start with Obama, please, he uses government computers too /:p
[ link to this | view in thread ]
Re: Re: Re: Mike's arguments are similary ridiculous
SQL injection involves carefully crafting a URL by inserting improperly formatted data so that the server misinterprets a piece of the URL as an SQL command instead of the original purpose that piece of the URL was responsible for. It is this misinterpretation that results in privilege escalation and subsequent unauthorized access.
That's the big difference between SQL injection and what happened here. This "hack" provided exactly what the server was expecting, a perfectly valid properly formatted numeric identifier. There was misinterpretation of data by the server, no privilege escalation, and no unauthorized access.
[ link to this | view in thread ]
Re: Re: Re: Re: Mike's arguments are similary ridiculous
[ link to this | view in thread ]
responsible disclosure, contacting ATT
[ link to this | view in thread ]
Mmm, begging the question...
Actually, it does not "beg the question". Pet peeve of mine. It's funny, because if you look up "begging the question" on wikipedia (they were already there, looking up "password"), you would see that begging the question is actually...well, I'll just let Robert Graham handle it.
[ link to this | view in thread ]
Re: Re: Re: Ugh
Anything else is irrelevant, as any ethical hacker has an obligation to confirm that their findings have been acted upon.
Any company that doesn't act on this, really, deserves everything they get, and that would apply even if I were directly affected. Would I be happy about it? Hell no! But the company would be the one I blamed in a similar situation.
[ link to this | view in thread ]
Re: Re: Ugh
No, to *us* programmers, it's like charging someone with B&E when all they did was knock on the door, someone answered, and handed them something.
The whole model of URL as physical spaces is ridiculous, though. There is no physical space at a URL. Anything that's available on the internet and not passworded IS BEING BROADCAST ONTO THE INTERNET ON PURPOSE.
The real metaphor is this: Weev changed the channels on his cable box a few times, and came across AT&T broadcasting their customers' private information.
[ link to this | view in thread ]
Re: Re: Re: Ugh
[ link to this | view in thread ]
Re: Re: Re: Ugh
[ link to this | view in thread ]
To those that say...
More: What would you do? Cut a great road through the law to get after the Devil?
Roper: I'd cut down every law in England to do that!
More: Oh? And when the last law was down, and the Devil turned 'round on you, where would you hide, Roper, the laws all being flat?
(From the movie A Man for All Seasons, 1966)
[ link to this | view in thread ]
Re: Mmm, begging the question...
The argument that the ICC-ID is not a password raises the question of what counts as a password.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Mmm, begging the question...
I probably wouldn't have said anything either, if not for Mr. Graham's quote containing the definition of "begging the question".
[ link to this | view in thread ]
Re: Mike's arguments are similary ridiculous
Better example. I found the address of your home. I write a letter, and I put an address (i.e. URL) on the front of it. You receive my mail, write a letter of your own, and reply to me.
At what point does your reply to me constitute a felony on my part?
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Mike's arguments are similary ridiculous
This is not a private house. It's more akin to a bank carrying everyone else's information. When they carry my information I have a right to ensure that my information is secure and if I find insecurities everyone else has a right to know about them so that they can choose to act accordingly (ie: not do business with that company, remove their information from it, contact it, etc...).
I agree that the researcher probably should have contacted the company first in secret (if he didn't). But these days a possible response is that the company
A: Won't fix the vulnerability and will likely ignore it
B: Will sue the white hat hacker upon publicly revealing the vulnerability.
These corporations did this to themselves and they deserve the fact that no one 'plays by the rules' because the rules are broken and written by corporations and the corporations never play by them anyways and they get away with it. The rules should be that the corporations get punished by the law for having such disregard for the security of their users. But no, our laws are backwards.
[ link to this | view in thread ]
Re: No sale
And nobody is asking you to be sympathetic to him, only to consider the bigger and far more important picture. If Weev's online actions deserves punishment (as I absolutely believe they do), then he should be punished for those actions, and not trumped up charges that could result in a terrible legal precedent that will have chilling effects on legitimate online security research and be used to unfairly or disproportionately punish others that you don't happen to dislike.
[ link to this | view in thread ]
Re: Oh poor weev
All completely correct. Unfortunately Karma is a terrible way to run a justice system. Getting what you deserve shouldn't have significant negative consequences for everybody else.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Appeal Consequence
this will damage use of the CFAA and there would be in the records of a court proof that AT&T had stored confidential customer in a dangerous insecure way. The consequence ought to be customers suing AT&T for putting their real identities and good names at risk.
[ link to this | view in thread ]
Re: Re: No sale
Even if some of ya made good points, you got worked up over sarcasm.
[ link to this | view in thread ]
Re: the rules
Erm, that might not be the stated purpose but they do appear to provide the tools:
"The field can contain multiple product tokens (section 3.8) and comments identifying the agent and any subproducts which form a significant part of the user agent"
Sure, section 3.8 states "They MUST NOT be used for advertising or other non-essential information". But if you did this anyway, that would simply mean that they're not RFC 2616 compliant, not that they're suddenly not user agents - and AFAIK no law says that something needs to be compliant.
[ link to this | view in thread ]
Re: No sale
...and Capone was actually guilty of what he was jailed for. They didn't stretch logic to put him away, they simply prosecuted him for the crimes they could show he committed, rather than the more serious charges they suspected but could not prove he committed.
That's a very different thing to what you're supporting here, which is "there's one thing we think he's guilty of, and we'll say whatever we can to make him guilty".
"I'm offended that he gets a full share of our collective oxygen."
I'm offended that someone who thinks that "I don't like him" is a good enough reason to put him away gets a full share of our collective oxygen. Does that mean I can get rid of you?
I wonder what 4Chan have to say about you...
[ link to this | view in thread ]
Re: Re: Re: No sale
[ link to this | view in thread ]
Re: Mike's arguments are similary ridiculous
Why is it that people who disagree with Mike's points not only act like assholes about it, but fail to understand the technology themselves?
"t doesn't matter that you made a "request" (turned the knob) and door-lock "answered"."
This is a horrific analogy that misunderstands at least 2 major technical points. Other have corrected you below, but FFS if you're going to discuss things with bad analogies at least try not to be a dick about it.
"If this guy is known to be "world-class jerk", he will (probably) have hard time trying to prove that his intentions were harmless."
...and this kind of attitude is exactly why these attacks on due process and rights are so dangerous. You're not only supporting a "guilty until proven innocent" approach, but supporting "I don't like that guy" as a valid reason for prosecuting in the first place. How do you think this will ever end well?
[ link to this | view in thread ]
Re: Re: Mike's arguments are similary ridiculous
If people really want an analogy, it's like asking if you can enter an apartment building to visit a specific apartment. You're only "meant" to ring the bell of the apartment of the person you're intending to visit, but you've worked out that if you press any of them you can get in if there's someone to answer. So you're "hacking" the security system by the DOJ's logic here but all you're doing is making a request (to be allowed into the building), which is answered and authorised, even if you're doing it in the correct way.
It's still a very flawed analogy that doesn't cover what you do once inside the building, of course, but most reasonably people wouldn't count the bell ringing as breaking and entering. Weev's actions are more akin to having noted down the names on the lobby mailboxes once he gained access.
"These corporations did this to themselves and they deserve the fact that no one 'plays by the rules'"
I agree. If only the response to this was "suck it up, corporation and learn from your mistakes" rather than "we must prosecute this person as a lesson to others not to notice security flaws"....
[ link to this | view in thread ]
Re: Appeal Consequence
However, this would assume both that AT&T have real competition and that the average consumer is both willing and able to understand the security problems introduced to the degree where they'd be spurred into action - neither of which is sadly likely.
[ link to this | view in thread ]
Re:
So, what would such a user do assuming a reasponable level of intelligence?
They would seek out someone with greater knowledge who would then supply them with the information required to do what Spitler did.
[ link to this | view in thread ]
Same as bank robbery
It's the exploitation of the security hole that is a crime, not the hole itself.
I am sure you would NOT be let off if you told the judge "the bank and vault was wide open, and there was no security guards, therefore I am innocent !!!" ..
Yea right..
[ link to this | view in thread ]
HELD FOR MODERATION
Just wondering, I guess you are proud and protecting of your 'powers' to censor, and your ability to stifle open debate and free speech !!!
At least change the message to read correctly !!!
HELD FOR CENSORSHIP
HELD BECAUSE I FEAR FREE SPEECH AND OPEN DEBATE.
[ link to this | view in thread ]
HELD FOR CENSORSHIP
It will be reviewed by our staff before it is posted.
No, Mr Masnick THANK YOU for displaying your willingness to abuse free speech and censorship, and displaying to your readers that you are as big an abuser of free speech and censorship that ANYONE you write about.
Thank you for displaying that abuse in such a clear concise manner, and showing (eventually) that you are certainly NOT above such abuses..
In fact you employ the abuse of censorship to stifle free speech..
THANK YOU... you must be so proud of yourself !!!
[ link to this | view in thread ]
Re: Re:
"Basically, they saw that AT&T handed out iPad IDs in numerical order"
They didn't go "we want compile a list of e-mail addresses of iPad users available on AT&T’s servers". They went "oh, that looks wrong, I wonder if their system really is that bad".
Savvy or not, to replicate the actions you need to have someone who is looking to see what's wrong with that picture, not someone looking to break a lock.
[ link to this | view in thread ]
Re: Re: Mike's arguments are similary ridiculous
You are confused about what due process is. Since this is different in every country, let me tell you what it is NOT. It is NOT blind application of pre-coded (in laws) rules. That's what computer does. What a judge does, is another thing entirely.
Let me bring you an example. You drop a hammer from your window and someone is killed. Only human can decide whether you killed someone in cold blood or just was careless. If you're already convicted in murder felon, you will have _very_ hard time arguing "just careless".
That's why in almost _any_ trial intent and character matter. So, yes, it is important whether I "like that guy".
[ link to this | view in thread ]
Re:
So ban being as a felony to start saving time.
Bring out the child-catcher!
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: First they came for the hackers...
Leaving aside the Devil is just following "God's Law" ;)
[ link to this | view in thread ]
Re: Re: Re: Re: No sale
[ link to this | view in thread ]
Re: Re: Re: Mike's arguments are similary ridiculous
Yes, he evaluates all evidence before him and judges depending on that, which may or may not include character evidence depending on the crime at hand. Not whether or not he personally likes the guy.
"Only human can decide whether you killed someone in cold blood or just was careless."
...and that human will be evaluating all available evidence, including witness statements, video evidence, physical evidence at the scene, among other things. Character evidence may be used to sway a verdict where such evidence is absent or unclear, but it's not used where such evidence is clear. Who cares what kind of an asshole someone is when there's video evidence showing it to be a clear accident?
You suck at analogies.
"If you're already convicted in murder felon, you will have _very_ hard time arguing "just careless"."
What, exactly are you interpreting from my words? Not what I'm saying, since you managed to come up with the exact opposite. YOU were the one trying to say he should be assumed guilty unless proven innocent ("prove that his intentions were harmless"). How you managed to come up with the idea that I was saying he should be arguing intent after conviction is beyond me.
So, it looks like your grasp of the arguments in front of you are as poor as your grasp of the technology (which you didn't defend, by the way - interesting). I'd agree that someone as reactionary and ill-informed as you should not be hearing this particular case, but other than that you've not really made an argument.
[ link to this | view in thread ]
Re: Re: Re: Mike's arguments are similary ridiculous
[ link to this | view in thread ]
Re: Re: Re: No sale
That is simple - have him go VS someone who'll fight back far harder than he will in the Courts.
Because if one wants to destroy - nothing like the power of Government.
[ link to this | view in thread ]
Re: Re: Re: Re: Ugh
So if you have a list of IPs that you have banned because of spam and put up a banner in the SMTP daemon saying 'this IP is banned, disconnect now' and the email gets sent - is that a CFAA violation?
[ link to this | view in thread ]
DOJ and AT&T are off-base here
[ link to this | view in thread ]
unconstitutional it is
"No Bill of Attainder or ex post facto Law will be passed."
[ link to this | view in thread ]
Re: Ugh
No. It's a guy that saw something that looked like a potential security hole, and then wrote a script to verify that it was the case so that he code report on it.
[ link to this | view in thread ]
Re: Re: Re: Ugh
It'll be a terrible day for internet security when damaging a company's reputation by revealing their security weaknesses is seen as a bad thing. Company's entrusted with their customers' private data should be under constant and meaningful scrutiny, and should never be led to believe their reputation is more important that their customers' privacy. In fact the fallout from a malicious data breach is arguably far more damaging to a company's reputation than fixing a publicly exposed security flaw.
"Basically, that's why courts are ruled by judges (or juries) and not by machines..."
Judges are there to ensure the law is followed. Punishing historic trollish behavior, no matter how despicable, would not be following the law in question.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re: Mike's arguments are similary ridiculous
I didn't say that the passer by stole money just that they noticed that there is no security.
"So a passer by walks in and notices that the bank has no security."
'Stealing money' in this analogy would sorta be if the person used the private information gained for financial gain.
[ link to this | view in thread ]
How Weev's prosecutors are making up the rules By Robert Graham
[ link to this | view in thread ]
Re: Re: Re: Re: Mike's arguments are similary ridiculous
Well, you did say the following directly before that:
"Anyone can just go in and rob the bank and take my money from it."
Sorry if I misinterpreted you, but that's why these things can often turn into arguments about something they're not. It's a bad analogy because you introduced the concept of crimes far more severe than the one that happened and thus change the scope of the discussion.
" 'Stealing money' in this analogy would sorta be if the person used the private information gained for financial gain."
True, but you're using the analogy to describe a situation where - as far as I'm aware - that did not happen, so it doesn't belong. Even if it did, weev would have been trying to get money from exposing the security flaw, not by simply robbing the data/money behind the flawed security.
I understand what you were getting at, but the analogy was not appropriate.
[ link to this | view in thread ]
Re: HELD FOR CENSORSHIP
I wish Masnick would censor you for real so you can see what it looks like, fuckface.
[ link to this | view in thread ]
Re: Re: Re: Word limit and "rules"
[ link to this | view in thread ]
Wikipedia as a source for legal briefs
[ link to this | view in thread ]