Prosecutors Admit They Don't Understand What Weev Did, But They're Sure It's Like Blowing Up A Nuclear Plant
from the wtf? dept
We've been covering the ridiculous DOJ case against Andrew "weev" Auernheimer for quite some time. If you don't recall, Auernheimer and a partner found a really blatant security hole on AT&T's servers that allowed them to very easily find out the email addresses of iPad owners. There was no breaking in to anything. The issue was that AT&T left this all exposed. But, with a very dangerous reading of the CFAA (Computer Fraud and Abuse Act) and a bunch of folks who don't understand basic technology, weev was sentenced to 3.5 years in jail (and has been kept in solitary confinement for much of his stay so far). Part of the case is complicated by the fact that weev is kind of a world class jerk -- who took great pleasure in being an extreme online troll, getting a thrill out of making others miserable. But that point should have no bearing on whether or not exposing a security hole, by basically entering a URL that AT&T failed to secure, becomes a criminal activity.Throughout the case, it's been clear that the DOJ was trying to make up an interpretation of the law that had no basis in the actual technology world. And it became abundantly clear at a hearing before the appeals court concerning weev's case, that the DOJ really has no idea what weev did. They're just sure it's bad because it involves computers and stuff. Seriously, as reported by Vice:
"He had to decrypt and decode, and do all of these things I don't even understand," Assistant US Attorney Glenn Moramarco argued.Say what? If that's the basis for being declared a felon and locked up for 3.5 years, almost everyone is a felon. It's likely that under that "standard" Moramarco himself is a felon, because I'll bet he "decrypts and decodes and all of these things he doesn't understand" on pretty much a daily basis. But, a tip to the US Attorneys' office: when prosecuting a computer crime, you might want to at least try to have someone who actually understands the fundamental basics of what the person you've locked up has done.
But, Moramarco apparently doesn't want to let his complete ignorance of what actually happened (someone putting a URL into a box and seeing the page that AT&T failed to secure) to get in the way of insane hyperbole about what he thinks weev did:
In its opening statement, the government made an incendiary comparison that seemed to reflect the nature of its understanding of the crime: the prosecution compared Auernheimer's deeds to hackers "[blowing] up a nuclear power plant in New Jersey" in an attempt to illustrate how it was a relevant venue.Yes, apparently exposing the fact that AT&T left its customers' info wide open to anyone is the equivalent of blowing up a nuclear power plant. Yikes.
As the article notes, much of the hearing actually focused on the question of venue, and it appears that weev may get off on something of a technicality. Prosecutors had moved the case to New Jersey for no known reason and so it may get rejected for being the improper venue, which potentially could mean that the appeals court never even addresses the issue of just how badly the DOJ twisted the CFAA to bring down weev. The judges appear to be considering this, as they noted that based on the details of the case, there was no apparent connection to New Jersey and no reason why the DOJ couldn't have brought the case anywhere (one judge apparently mentioned Hawaii).
The case is important because of all the CFAA abuse we've seen by the DOJ over recent years, and now it sounds like the appeals court may be able to just skip over that issue entirely. Given the DOJ's own admissions of its lack of understanding about weev's actions, that actually might be the best thing for the DOJ, allowing it to continue to make completely bogus CFAA arguments to take down technologically sophisticated people that the DOJ doesn't like and doesn't understand.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: andrew auernheimer, cfaa, computer hacking, doj, glenn moramarco, security holes, trolls, venue, weev
Companies: at&t
Reader Comments
The First Word
“...the definition of 'hacking' has been updated.
hack, verb
1. to cut and clear (a way, path, etc.), as through undergrowth
2. to cough in short dry spasmodic bursts
3. to manipulate a computer program skilfully, esp, to gain unauthorized access to another computer system
4. to use a computer in a way that observers do not fully understand or do not like
Subscribe: RSS
View by: Time | Thread
It seems technology is not the only thing he fails at understanding considering the judicial process and the law enforcement side screw ups.
[ link to this | view in chronology ]
It could be a reasonable comparison.
Let's be realistic here. How bad would it be to blow up a nuclear power plant in New Jersey? I mean you can't even buy a Tesla there anymore.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
IOW
[ link to this | view in chronology ]
Someone please
How in the nine circles of hell is that considered an admissable, non-inflamatory comment?
[ link to this | view in chronology ]
Re: Someone please
[ link to this | view in chronology ]
Re: Re: Someone please
[ link to this | view in chronology ]
Re: Re: Re: Someone please
(That's always the right answer these days.)
[ link to this | view in chronology ]
Re: Re: Re: Re: Someone please
[ link to this | view in chronology ]
Re: Someone please
How in the nine circles of hell is that considered an admissable, non-inflamatory comment?
Because the defense attorney was not smart enough to object?
[ link to this | view in chronology ]
Re: Re: Someone please
But yeah, the defense attorney should have objected very loudly, and very clearly, over such a blatant attempt at poisoning the jury against his client by comparing his action to something that's not even remotely similar.
[ link to this | view in chronology ]
No known reason?!?!?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Except with less chance of radiation sickness.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
You then decide to go to your next door neighbor's house. You see that his name, address, phone and SSN are posted on his door too. You then realize that you could go around the neighborhood and get anyone's full contact information.
So you go on a blog and say "The Power Company are idiots. They exposed everyone's data. What a bunch of stupid fools!"
Then they arrest you (for 3.5 years and put you in solitary) for breaking into every house in the neighborhood, even though all you had to do was go to every address and look at the posting on the front door.
The prosecutors then say that because of your awesome B&E skills, you could have just as easily broken into the nuclear power plant and caused a meltdown.
[ link to this | view in chronology ]
...the definition of 'hacking' has been updated.
hack, verb
1. to cut and clear (a way, path, etc.), as through undergrowth
2. to cough in short dry spasmodic bursts
3. to manipulate a computer program skilfully, esp, to gain unauthorized access to another computer system
4. to use a computer in a way that observers do not fully understand or do not like
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
FTFY
[ link to this | view in chronology ]
Re:
So screw that. I keep them to myself and enjoy a good chuckle when days or years later it turns out that someone else found the same holes and exploited them.
I'm sure I'm not the only one doing this. The aggregate effect, of course, is that it makes the Internet less safe for everyone. But I'm not going to risk being the next weev. Not worth it.
So when you read about the next seventeen security breaches involving data loss incidents, you might wonder how many of those could have been avoided if unethical lying incompetent computer-illiterate assholes like Glenn Moramarco weren't given the power to destroy lives.
[ link to this | view in chronology ]
Re: Re:
If you really want to do a public service and alert companies and people to software vulnerabilities you've found, there are numerous ways to do that anonymously. You don't have to risk a thing.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
4. to use a SYSTEM in a way that observers do not fully understand or do not like
then we can encompass judges and lawyers as Hackers of the legal system
[ link to this | view in chronology ]
"Ignorance of the law" by the prosecutor
trial but if the judge and the prosecutor lack knowledge as
well then what purpose is the trial ?
"Ignorance of the law" by the prosecutor ought to be grounds for a
case to be dismissed if we had a system whose aim is Justice instead
of prosecutorial head count !
That is one of the functions of Jury Nullification. But
both judges and prosecutors try hard to prevent jurors
even hearing about that.
[ link to this | view in chronology ]
Re: "Ignorance of the law" by the prosecutor
[ link to this | view in chronology ]
the really sad thing is that in return for exposing the flaw, people have been reported to the authorities by the company concerned. instead of holding up hands and getting all embarrassed, they have crucified those who wanted only to help. i fail to see how any amount of embarrassment can be worth removing 3.5 years of someone's life from them!!
i also fail to see why the DoJ has gone after the guy rather than the company, which is clearly in the wrong, when it is supposed to be 'the justice dept'! but then, helping important industries seems to be even more important to them than actually following the law!
[ link to this | view in chronology ]
Re:
It's a criminal case, so the government brought the case.
i am assuming it was AT&T?
No, it's a criminal case, not a civil one.
[ link to this | view in chronology ]
Re:
I will provide the following timeline that shows how quickly the FBI got involved.
June 3, 2010 - June 8, 2010: Spitler and Weev collect email address/ICCID pairs.
June 6, 2010: Weev send emails to a handful of top media personnel whose emails were collected. He briefly explains how he came to know their email address and invites them to interview him. Weev explained that this was his way of, indirectly notifying AT&T of the security vulnerability.
June 7, 2010: AT&T is notified of the security breach by a “business customer” who is not identified by AT&T.
June 8, 2010: AT&T has stated that they fixed this vulnerability, by Tuesday, within hours of being notified of the problem. They did this by disabling or removing the code which pre-populated the log-in page with an email address.
June 9, 2010: Weev contacts Ryan Tate of Gawker gives him the list of email address/ICCID pairings and details about their uncovering of AT&T's security hole. Gawker publishes and article that very afternoon including a handful of redacted pairings that were for notable people.
June 10, 2010: Gawker is contacted by the FBI and issued a formal preservation of evidence notice.
You can see that the FBI was involved very early on. I can imagine that they were contacted by some executive at AT&T as soon as AT&T had learned of the breach.
[ link to this | view in chronology ]
It makes sense if you think about this from their point of view.
Entering a URL into the address bar is hacking. Therefore, they use their Google homepage to search for the sites they want to go to.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Odd
[ link to this | view in chronology ]
And blowing up a nuclear plant= doing some computer stuff of questionable legality.
Then, by the transitive property, blowing up a nuclear plant= 3.5 years in jail.
I sense incoming terrorism directed at nuclear plants, as blowing one up should only be a 3.5 year sentence. *Insert happy NSA armed with justification for spying on completely innocent people*
[ link to this | view in chronology ]
pics
From what I remember & the recap, it looks like that's all this guy did. He noticed a numerical ID, presumably when he logged in, & changed his to something else to see what would happen, & then reported the problem.
HOW ON EARTH IS THAT ILLEGAL IF HE REPORTED IT TO WHO HE WAS SUPPOSED TO? URLs have already been said to be public (they can't be copyrighted, for instance), so entering one or a chain shouldn't be a crime. How does finding a few URLs that someone screwed up the security on & pointing that out equate to jail time?
This is exactly how I would have defended myself if it were me, & probably gotten a jury to actually understand what was done. If it's legal on one site, the identical thing can't be illegal on the other. If it is, the law is broken.
[ link to this | view in chronology ]
Re: pics
[ link to this | view in chronology ]
Re: Re: pics
No need to repeat yourself.
[ link to this | view in chronology ]
Re: Re: Re: pics
[ link to this | view in chronology ]
Re: pics
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Blowing up nuclear power plants
[ link to this | view in chronology ]
Re: Blowing up nuclear power plants
Chernobyl says "who, me?"
A disaster like that is indeed very difficult to pull off, but to minimize the effect of it like that is misleading. The presence/absence of a mushroom cloud isn't important. Chernobyl demonstrates that such events can have a very wide effect, not just for those nearby.
Regardless, comparing what weev did to that sort of thing is just plain idiotic.
[ link to this | view in chronology ]
Re: Re: Blowing up nuclear power plants
Think about it, research it. The reactor at Cernobyl just disappeared, ceased to be, after an explosion. Russians (and Ukrainians and Belorussians in general know what's up on this one).
A lot like Fukushima.
[ link to this | view in chronology ]
He should have been willfully blind. Wait, that doesn't work...
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]