Prosecutors Admit They Don't Understand What Weev Did, But They're Sure It's Like Blowing Up A Nuclear Plant

from the wtf? dept

We've been covering the ridiculous DOJ case against Andrew "weev" Auernheimer for quite some time. If you don't recall, Auernheimer and a partner found a really blatant security hole on AT&T's servers that allowed them to very easily find out the email addresses of iPad owners. There was no breaking in to anything. The issue was that AT&T left this all exposed. But, with a very dangerous reading of the CFAA (Computer Fraud and Abuse Act) and a bunch of folks who don't understand basic technology, weev was sentenced to 3.5 years in jail (and has been kept in solitary confinement for much of his stay so far). Part of the case is complicated by the fact that weev is kind of a world class jerk -- who took great pleasure in being an extreme online troll, getting a thrill out of making others miserable. But that point should have no bearing on whether or not exposing a security hole, by basically entering a URL that AT&T failed to secure, becomes a criminal activity.

Throughout the case, it's been clear that the DOJ was trying to make up an interpretation of the law that had no basis in the actual technology world. And it became abundantly clear at a hearing before the appeals court concerning weev's case, that the DOJ really has no idea what weev did. They're just sure it's bad because it involves computers and stuff. Seriously, as reported by Vice:
"He had to decrypt and decode, and do all of these things I don't even understand," Assistant US Attorney Glenn Moramarco argued.
Say what? If that's the basis for being declared a felon and locked up for 3.5 years, almost everyone is a felon. It's likely that under that "standard" Moramarco himself is a felon, because I'll bet he "decrypts and decodes and all of these things he doesn't understand" on pretty much a daily basis. But, a tip to the US Attorneys' office: when prosecuting a computer crime, you might want to at least try to have someone who actually understands the fundamental basics of what the person you've locked up has done.

But, Moramarco apparently doesn't want to let his complete ignorance of what actually happened (someone putting a URL into a box and seeing the page that AT&T failed to secure) to get in the way of insane hyperbole about what he thinks weev did:
In its opening statement, the government made an incendiary comparison that seemed to reflect the nature of its understanding of the crime: the prosecution compared Auernheimer's deeds to hackers "[blowing] up a nuclear power plant in New Jersey" in an attempt to illustrate how it was a relevant venue.
Yes, apparently exposing the fact that AT&T left its customers' info wide open to anyone is the equivalent of blowing up a nuclear power plant. Yikes.

As the article notes, much of the hearing actually focused on the question of venue, and it appears that weev may get off on something of a technicality. Prosecutors had moved the case to New Jersey for no known reason and so it may get rejected for being the improper venue, which potentially could mean that the appeals court never even addresses the issue of just how badly the DOJ twisted the CFAA to bring down weev. The judges appear to be considering this, as they noted that based on the details of the case, there was no apparent connection to New Jersey and no reason why the DOJ couldn't have brought the case anywhere (one judge apparently mentioned Hawaii).

The case is important because of all the CFAA abuse we've seen by the DOJ over recent years, and now it sounds like the appeals court may be able to just skip over that issue entirely. Given the DOJ's own admissions of its lack of understanding about weev's actions, that actually might be the best thing for the DOJ, allowing it to continue to make completely bogus CFAA arguments to take down technologically sophisticated people that the DOJ doesn't like and doesn't understand.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: andrew auernheimer, cfaa, computer hacking, doj, glenn moramarco, security holes, trolls, venue, weev
Companies: at&t


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 20 Mar 2014 @ 9:08am

    "He had to decrypt and decode, and do all of these things I don't even understand," Assistant US Attorney Glenn Moramarco argued.

    It seems technology is not the only thing he fails at understanding considering the judicial process and the law enforcement side screw ups.

    link to this | view in chronology ]

  • identicon
    Michael, 20 Mar 2014 @ 10:01am

    "[blowing] up a nuclear power plant in New Jersey"

    It could be a reasonable comparison.

    Let's be realistic here. How bad would it be to blow up a nuclear power plant in New Jersey? I mean you can't even buy a Tesla there anymore.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Mar 2014 @ 10:02am

    Ignorance is bliss. I'm surprised the DOJ didn't throw weev in a pond, to see if he sinks to the bottom or floats, as part of their CFAA test.

    link to this | view in chronology ]

  • icon
    ChurchHatesTucker (profile), 20 Mar 2014 @ 10:07am

    IOW

    "I am an idiot," Assistant US Attorney Glenn Moramarco argued.

    link to this | view in chronology ]

  • icon
    Trails (profile), 20 Mar 2014 @ 10:23am

    Someone please

    the prosecution compared Auernheimer's deeds to hackers "[blowing] up a nuclear power plant in New Jersey" in an attempt to illustrate how it was a relevant venue.


    How in the nine circles of hell is that considered an admissable, non-inflamatory comment?

    link to this | view in chronology ]

    • icon
      John Fenderson (profile), 20 Mar 2014 @ 10:29am

      Re: Someone please

      because Terrorism!

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Mar 2014 @ 2:30pm

      Re: Someone please

      the prosecution compared Auernheimer's deeds to hackers "[blowing] up a nuclear power plant in New Jersey" in an attempt to illustrate how it was a relevant venue.


      How in the nine circles of hell is that considered an admissable, non-inflamatory comment?


      Because the defense attorney was not smart enough to object?

      link to this | view in chronology ]

      • icon
        That One Guy (profile), 20 Mar 2014 @ 3:21pm

        Re: Re: Someone please

        Maybe he was too busy trying to pick his jaw off the floor after hearing such an insane, over the top accusation.

        But yeah, the defense attorney should have objected very loudly, and very clearly, over such a blatant attempt at poisoning the jury against his client by comparing his action to something that's not even remotely similar.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Mar 2014 @ 10:41am

    No known reason?!?!?

    Prosecutors had moved the case to New Jersey for no known reason
    Of course it's known - they obviously chose New Jersey because that's where the nuclear powerplant that he didn't blow up is!

    link to this | view in chronology ]

  • identicon
    Glen, 20 Mar 2014 @ 10:42am

    Granted I don't know how to code. But if you are going to make comparisons, wouldn't a valid nuclear plant comparison be that he was showing them where their security holes so they can place a guard in that area?

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Mar 2014 @ 10:52am

      Re:

      No coding necessary to do what he did.

      link to this | view in chronology ]

    • identicon
      Michael, 20 Mar 2014 @ 11:07am

      Re:

      Somewhat like the power plant leaving the doors open to the storage area with all of the fuel rods and he pulled up in a truck, took a big pile of them, and then proceeded to park in front of the power plant security gate and hold up a sign that said "free fuel rods".

      Except with less chance of radiation sickness.

      link to this | view in chronology ]

      • identicon
        Glen, 20 Mar 2014 @ 11:09am

        Re: Re:

        Thanks!!

        link to this | view in chronology ]

      • icon
        John Fenderson (profile), 20 Mar 2014 @ 11:38am

        Re: Re:

        Better, but still a faulty analogy. To get the fuel rods, you'd have to trespass. Weev didn't even do that.

        link to this | view in chronology ]

        • icon
          Anonymous Howard (profile), 21 Mar 2014 @ 6:21am

          Re: Re: Re:

          The power plant warehouse has a window fronting the street, where you can get your daily fuel rod by saying your name. He said his name, got his fuel rod, then started to say a bunch of random names and got theirs too. Then he parked in front of the security gate.

          link to this | view in chronology ]

    • identicon
      PRMan, 20 Mar 2014 @ 1:44pm

      Re:

      Imagine a whole neighborhood of houses. The power company tells you that they put a note on your door telling you when your power would be out. On that note, you realize that they put your name, address, phone and SSN.

      You then decide to go to your next door neighbor's house. You see that his name, address, phone and SSN are posted on his door too. You then realize that you could go around the neighborhood and get anyone's full contact information.

      So you go on a blog and say "The Power Company are idiots. They exposed everyone's data. What a bunch of stupid fools!"

      Then they arrest you (for 3.5 years and put you in solitary) for breaking into every house in the neighborhood, even though all you had to do was go to every address and look at the posting on the front door.

      The prosecutors then say that because of your awesome B&E skills, you could have just as easily broken into the nuclear power plant and caused a meltdown.

      link to this | view in chronology ]

  • icon
    Rose M. Welch (profile), 20 Mar 2014 @ 10:54am

    Remember...
    ...the definition of 'hacking' has been updated.

    hack, verb
    1. to cut and clear (a way, path, etc.), as through undergrowth
    2. to cough in short dry spasmodic bursts
    3. to manipulate a computer program skilfully, esp, to gain unauthorized access to another computer system
    4. to use a computer in a way that observers do not fully understand or do not like

    link to this | view in chronology ]

    • identicon
      Michael, 20 Mar 2014 @ 11:08am

      Re:

      5. to use a computer in any way and then do something that the government does not like

      link to this | view in chronology ]

      • icon
        Trails (profile), 20 Mar 2014 @ 12:03pm

        Re: Re:

        5. to use a computer in any way and then do something that the government does not like, or no longer likes, i.e. retroactive

        FTFY

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Mar 2014 @ 12:40pm

      Re:

      And this is why, when I find security holes, the very LAST thing that I do is mention them to the responsible party. I don't work for them. I don't owe them anything. And chances are good that if I try to help them out, they'll respond by calling the feds.

      So screw that. I keep them to myself and enjoy a good chuckle when days or years later it turns out that someone else found the same holes and exploited them.

      I'm sure I'm not the only one doing this. The aggregate effect, of course, is that it makes the Internet less safe for everyone. But I'm not going to risk being the next weev. Not worth it.

      So when you read about the next seventeen security breaches involving data loss incidents, you might wonder how many of those could have been avoided if unethical lying incompetent computer-illiterate assholes like Glenn Moramarco weren't given the power to destroy lives.

      link to this | view in chronology ]

      • icon
        John Fenderson (profile), 20 Mar 2014 @ 1:06pm

        Re: Re:

        "The aggregate effect, of course, is that it makes the Internet less safe for everyone. But I'm not going to risk being the next weev. Not worth it"

        If you really want to do a public service and alert companies and people to software vulnerabilities you've found, there are numerous ways to do that anonymously. You don't have to risk a thing.

        link to this | view in chronology ]

        • identicon
          PRMan, 20 Mar 2014 @ 1:45pm

          Re: Re: Re:

          Yeah, you could even do it anonymously using the username "weev".

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 21 Mar 2014 @ 2:16pm

            Re: Re: Re: Re:

            you could drop the info from seven proxies on a message/image board dedicated to computer security from a public computer requiring no login.

            link to this | view in chronology ]

            • identicon
              Anonymous Coward, 21 Mar 2014 @ 2:17pm

              Re: Re: Re: Re: Re:

              or google groups/usenet, some people still participate in those believe it or not

              link to this | view in chronology ]

      • icon
        madasahatter (profile), 20 Mar 2014 @ 6:45pm

        Re: Re:

        The danger is what you noted of this persecution. Uncovering and reporting a security hole should never be a crime. There are too many websites with serious security problems. Unfixed holes create too much risk for innocent users being harmed.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Mar 2014 @ 12:46pm

      Re:

      if you change rule 4 to be more generic,

      4. to use a SYSTEM in a way that observers do not fully understand or do not like

      then we can encompass judges and lawyers as Hackers of the legal system

      link to this | view in chronology ]

  • identicon
    Ed Allen, 20 Mar 2014 @ 11:04am

    "Ignorance of the law" by the prosecutor

    Jurors are picked to have no knowledge of the subject of a
    trial but if the judge and the prosecutor lack knowledge as
    well then what purpose is the trial ?

    "Ignorance of the law" by the prosecutor ought to be grounds for a
    case to be dismissed if we had a system whose aim is Justice instead
    of prosecutorial head count !

    That is one of the functions of Jury Nullification. But
    both judges and prosecutors try hard to prevent jurors
    even hearing about that.

    link to this | view in chronology ]

    • icon
      beltorak (profile), 20 Mar 2014 @ 12:00pm

      Re: "Ignorance of the law" by the prosecutor

      I fully support that notion. If the prosecution doesn't even understand what is being prosecuted, how can there be a case?

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Mar 2014 @ 11:04am

    so, who actually brought the case for prosecution? i am assuming it was AT&T? if that is the case, i sincerely hope there is something further wrong with what they have for a website, it is found but not (obviously after this episode) reported and proves to be rather costly for AT&T.

    the really sad thing is that in return for exposing the flaw, people have been reported to the authorities by the company concerned. instead of holding up hands and getting all embarrassed, they have crucified those who wanted only to help. i fail to see how any amount of embarrassment can be worth removing 3.5 years of someone's life from them!!

    i also fail to see why the DoJ has gone after the guy rather than the company, which is clearly in the wrong, when it is supposed to be 'the justice dept'! but then, helping important industries seems to be even more important to them than actually following the law!

    link to this | view in chronology ]

    • icon
      Mike Masnick (profile), 20 Mar 2014 @ 12:05pm

      Re:

      so, who actually brought the case for prosecution?

      It's a criminal case, so the government brought the case.

      i am assuming it was AT&T?

      No, it's a criminal case, not a civil one.

      link to this | view in chronology ]

    • icon
      aldestrawk (profile), 20 Mar 2014 @ 2:43pm

      Re:

      Although the prosecution was brought by federal prosecutors within the DOJ, this case was initially investigated by the FBI at the behest of AT&T. I don't think one can minimize the influence of AT&T in getting the government to pursue this case, although the details of that influence will probably never be known publicly. The case was, and is, such a weak one that never should have been pursued. Recall two people were charged; Andrew Auernheimer (Weev) and Daniel Spitler. Spitler pleaded guilty to the charges and was sentenced to 3 years probation on January 24, 2014. Compare that to 41 months of prison for Weev. This is yet another example of how people are severely punished, particularly in federal court, for fighting the charges against them.

      I will provide the following timeline that shows how quickly the FBI got involved.

      June 3, 2010 - June 8, 2010: Spitler and Weev collect email address/ICCID pairs.

      June 6, 2010: Weev send emails to a handful of top media personnel whose emails were collected. He briefly explains how he came to know their email address and invites them to interview him. Weev explained that this was his way of, indirectly notifying AT&T of the security vulnerability.

      June 7, 2010: AT&T is notified of the security breach by a “business customer” who is not identified by AT&T.

      June 8, 2010: AT&T has stated that they fixed this vulnerability, by Tuesday, within hours of being notified of the problem. They did this by disabling or removing the code which pre-populated the log-in page with an email address.

      June 9, 2010: Weev contacts Ryan Tate of Gawker gives him the list of email address/ICCID pairings and details about their uncovering of AT&T's security hole. Gawker publishes and article that very afternoon including a handful of redacted pairings that were for notable people.

      June 10, 2010: Gawker is contacted by the FBI and issued a formal preservation of evidence notice.

      You can see that the FBI was involved very early on. I can imagine that they were contacted by some executive at AT&T as soon as AT&T had learned of the breach.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Mar 2014 @ 11:34am

    This just reaffirms my opinion that the government equates Google to the Internet.
    It makes sense if you think about this from their point of view.

    Entering a URL into the address bar is hacking. Therefore, they use their Google homepage to search for the sites they want to go to.

    link to this | view in chronology ]

  • identicon
    Crazy Canuck, 20 Mar 2014 @ 11:41am

    Hmmm, it's as bad as blowing up a nuclear plant? How is it the FBI didn't stop this guy before he figured it out? Were they too busy trying to catch other terrorists in another sting operation? =P

    link to this | view in chronology ]

  • identicon
    NAProtector, 20 Mar 2014 @ 11:59am

    Odd

    You think they would try to make him sound like Snowden's accomplice as he used a secret NSA method in monitoring and gathering peoples' information.

    link to this | view in chronology ]

  • identicon
    Just Another Anonymous Troll, 20 Mar 2014 @ 12:04pm

    If doing some computer stuff of questionable legality= 3.5 years in jail.
    And blowing up a nuclear plant= doing some computer stuff of questionable legality.
    Then, by the transitive property, blowing up a nuclear plant= 3.5 years in jail.
    I sense incoming terrorism directed at nuclear plants, as blowing one up should only be a 3.5 year sentence. *Insert happy NSA armed with justification for spying on completely innocent people*

    link to this | view in chronology ]

  • identicon
    Lurker Keith, 20 Mar 2014 @ 12:17pm

    pics

    I've been to sites that assign pics numerical identifiers, such that the only difference between some pics' URLs is a chain of numbers at the end. Quick uploaders have been able to get related pics (say panels of a comic) to be in numerical sequence, which lets me navigate a comic just by changing one number in the URL (that way I can look at the full image, rather than the pic in whatever reduced size their viewer shows it in... for comic panels, some of the words can be down right impossible to read in the smaller size).

    From what I remember & the recap, it looks like that's all this guy did. He noticed a numerical ID, presumably when he logged in, & changed his to something else to see what would happen, & then reported the problem.

    HOW ON EARTH IS THAT ILLEGAL IF HE REPORTED IT TO WHO HE WAS SUPPOSED TO? URLs have already been said to be public (they can't be copyrighted, for instance), so entering one or a chain shouldn't be a crime. How does finding a few URLs that someone screwed up the security on & pointing that out equate to jail time?

    This is exactly how I would have defended myself if it were me, & probably gotten a jury to actually understand what was done. If it's legal on one site, the identical thing can't be illegal on the other. If it is, the law is broken.

    link to this | view in chronology ]

    • icon
      That One Guy (profile), 20 Mar 2014 @ 12:43pm

      Re: pics

      It's due to the often invoked, but never mentioned 'Emperor's new clothes' clause in the law, where it's illegal to make the government and/or a large company look bad by showing how they screwed up, or how they broke/bent the law.

      link to this | view in chronology ]

    • icon
      John Fenderson (profile), 20 Mar 2014 @ 1:08pm

      Re: pics

      There's no sane reason for it to be illegal (and there's a TON of sane reasons it should not be illegal) even if he didn't report it to the company.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Mar 2014 @ 2:57pm

    Couldn't weev sue at this point or at least file for an appeal after all these blunders have been revealed? Or does rights to a lawyer end when corporations stop liking you?

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Mar 2014 @ 8:44pm

      Re:

      I suspect that if the prosecution thinks it will lose on facts it would rather lose on the technicality. Losing on the facts would remove the ability to use this logic on their next victim.

      link to this | view in chronology ]

  • icon
    madasahatter (profile), 20 Mar 2014 @ 6:59pm

    Blowing up nuclear power plants

    The prosecutor does not understand computers also knows nothing about nuclear reactors. Nuclear reactors, as designed, will not suffer the implied nuclear detonation. One of the worst case scenarios is overpressurization of the steam in the reactor causing the pressure and containment vessels to burst. Not a very easy to do in practice. The net effect would be a dirty conventional bomb. Nasty for those near by and to certain extent downwind, but no mushroom cloud.

    link to this | view in chronology ]

    • icon
      John Fenderson (profile), 21 Mar 2014 @ 8:41am

      Re: Blowing up nuclear power plants

      "Nasty for those near by and to certain extent downwind, but no mushroom cloud."

      Chernobyl says "who, me?"

      A disaster like that is indeed very difficult to pull off, but to minimize the effect of it like that is misleading. The presence/absence of a mushroom cloud isn't important. Chernobyl demonstrates that such events can have a very wide effect, not just for those nearby.

      Regardless, comparing what weev did to that sort of thing is just plain idiotic.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 23 Mar 2014 @ 5:07am

        Re: Re: Blowing up nuclear power plants

        The French tried to explain until they were blue in the face back then that a nuclear reactor CANNOT EXPLODE. To their ruin, it ruined a lot of their nuclear industry (the Chernobyl thing).

        Think about it, research it. The reactor at Cernobyl just disappeared, ceased to be, after an explosion. Russians (and Ukrainians and Belorussians in general know what's up on this one).

        A lot like Fukushima.

        link to this | view in chronology ]

  • icon
    btrussell (profile), 22 Mar 2014 @ 4:24am

    "But that point should have no bearing on whether or not exposing a security hole, by basically entering a URL that AT&T failed to secure, becomes a criminal activity."

    He should have been willfully blind. Wait, that doesn't work...

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.