Appeals Court Reverses Weev Conviction For Incorrect Venue, Avoids Bigger CFAA Questions

from the it's-a-start dept

We've been covering the prosection of Andrew "weev" Auernheimer for over a year, and things were not looking good for him, with the court seemingly stacking the deck in favor of a clueless DOJ. But instead, today the appeals court reversed his conviction and 3.5-year jail sentence (which, let's not forget, was handed to him for exposing a security flaw, under the DOJ's twisted interpretation of the Computer Fraud & Abuse Act).

The hope, of course, was that the court might address the ridiculousness of the charge and the huge problems of the CFAA, which currently permits the government to go after pretty much anyone who uses a computer in a way they don't like. Instead, the conviction was tossed for being in the wrong venue:

Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country’s founding: venue.

But, while the ruling punts on the CFAA, it raises some issues in its venue analysis that could themselves have a wider impact. Weev was prosecuted in New Jersey based on the flimsy rationale that New Jersey residents were affected by the security flaw exposure (but really because New Jersey has its own anti-hacking laws, and the DOJ was able to pursue a harsher punishment if the CFAA intersected with state laws). But the appeals court found that, since none of the allegedly illegal activities undertaken by weev happened in New Jersey, this was inappropriate:

The statute’s plain language reveals two essential conduct elements: accessing without authorization and obtaining information.

New Jersey was not the site of either essential conduct element. The evidence at trial demonstrated that the accessed AT&T servers were located in Dallas, Texas, and Atlanta, Georgia. In addition, during the time that the conspiracy began, continued, and ended, Spitler was obtaining information in San Francisco, California, and Auernheimer was assisting him from Fayetteville, Arkansas. No protected computer was accessed and no data was obtained in New Jersey.

Since the question of venue is still very muddy when it comes to the internet, this likely isn't the last we'll be hearing about this ruling, and its impact on other cases could prove interesting. It's also likely not an end to weev's story, and certainly not an end to government abuse of the CFAA. But, for now and at the very least, it says that if the DOJ is going to try to throw you in jail for the crime of Vaguely Misusing A Computer While Being Kind Of A Jerk, it at least has to do it in the correct venue instead of going fishing for the most favorable one.

Update: As noted in the First Word comment below, the ruling did make mention of the fact that no crime had been clearly established, which suggests that if the court had addressed the bigger questions about the charge, it may not have gone well for the DOJ. For now, we'll have to be satisfied with a non-binding footnote.

Filed Under: andrew auernheimer, cfaa, doj, hacking, venue, weev

Prosecutors Admit They Don't Understand What Weev Did, But They're Sure It's Like Blowing Up A Nuclear Plant

from the wtf? dept

We've been covering the ridiculous DOJ case against Andrew "weev" Auernheimer for quite some time. If you don't recall, Auernheimer and a partner found a really blatant security hole on AT&T's servers that allowed them to very easily find out the email addresses of iPad owners. There was no breaking in to anything. The issue was that AT&T left this all exposed. But, with a very dangerous reading of the CFAA (Computer Fraud and Abuse Act) and a bunch of folks who don't understand basic technology, weev was sentenced to 3.5 years in jail (and has been kept in solitary confinement for much of his stay so far). Part of the case is complicated by the fact that weev is kind of a world class jerk -- who took great pleasure in being an extreme online troll, getting a thrill out of making others miserable. But that point should have no bearing on whether or not exposing a security hole, by basically entering a URL that AT&T failed to secure, becomes a criminal activity.

Throughout the case, it's been clear that the DOJ was trying to make up an interpretation of the law that had no basis in the actual technology world. And it became abundantly clear at a hearing before the appeals court concerning weev's case, that the DOJ really has no idea what weev did. They're just sure it's bad because it involves computers and stuff. Seriously, as reported by Vice:

"He had to decrypt and decode, and do all of these things I don't even understand," Assistant US Attorney Glenn Moramarco argued.

Say what? If that's the basis for being declared a felon and locked up for 3.5 years, almost everyone is a felon. It's likely that under that "standard" Moramarco himself is a felon, because I'll bet he "decrypts and decodes and all of these things he doesn't understand" on pretty much a daily basis. But, a tip to the US Attorneys' office: when prosecuting a computer crime, you might want to at least try to have someone who actually understands the fundamental basics of what the person you've locked up has done.

But, Moramarco apparently doesn't want to let his complete ignorance of what actually happened (someone putting a URL into a box and seeing the page that AT&T failed to secure) to get in the way of insane hyperbole about what he thinks weev did:

In its opening statement, the government made an incendiary comparison that seemed to reflect the nature of its understanding of the crime: the prosecution compared Auernheimer's deeds to hackers "[blowing] up a nuclear power plant in New Jersey" in an attempt to illustrate how it was a relevant venue.

Yes, apparently exposing the fact that AT&T left its customers' info wide open to anyone is the equivalent of blowing up a nuclear power plant. Yikes.

As the article notes, much of the hearing actually focused on the question of venue, and it appears that weev may get off on something of a technicality. Prosecutors had moved the case to New Jersey for no known reason and so it may get rejected for being the improper venue, which potentially could mean that the appeals court never even addresses the issue of just how badly the DOJ twisted the CFAA to bring down weev. The judges appear to be considering this, as they noted that based on the details of the case, there was no apparent connection to New Jersey and no reason why the DOJ couldn't have brought the case anywhere (one judge apparently mentioned Hawaii).

The case is important because of all the CFAA abuse we've seen by the DOJ over recent years, and now it sounds like the appeals court may be able to just skip over that issue entirely. Given the DOJ's own admissions of its lack of understanding about weev's actions, that actually might be the best thing for the DOJ, allowing it to continue to make completely bogus CFAA arguments to take down technologically sophisticated people that the DOJ doesn't like and doesn't understand.

Filed Under: andrew auernheimer, cfaa, computer hacking, doj, glenn moramarco, security holes, trolls, venue, weev
Companies: at&t

Appeals Court Says Feds Can File Oversized Brief In Weev Case, But His Defense Has To Keep Its Reply Short

from the due-process! dept

The case against Andrew "weev" Auernheimer is already crazy enough. He's been charged by the feds with a violation of the Computer Fraud and Abuse Act (CFAA) for finding a huge security hole created by AT&T. Still, a court found him guilty. The appeal is ongoing, with the DOJ basically arguing that weev broke a rule that it made up. And, now, the third circuit appeals court is apparently stacking the deck against weev.

The government had made a request to file an "oversized" brief to present their case. In response, weev's lawyers requested the ability to file an "oversized" brief in reply to the government's brief. The DOJ did not oppose this request. Yet, the court approved the government's request while denying the defense request. In short: the government can file a giant brief throwing the kitchen sink of legal theories at weev, while weev's team is limited in how much space it has to reply. No matter what you think of weev, who seemed to take joy in pissing off just about everyone, at the very least you'd think he deserved the right to present a full response to the claims made against him by the government.

Filed Under: andrew auernheimer, cfaa, doj, oversized brief, weev

The DOJ's Insane Argument Against Weev: He's A Felon Because He Broke The Rules We Made Up

from the bad-news-all-around dept

We've covered the lawsuit against Andrew "weev" Auernheimer, in which the feds pushed criminal charges against him under the Computer Fraud and Abuse Act (CFAA) for discovering a massive (and ridiculous) security hole in the way AT&T set up the iPad. Basically, they saw that AT&T handed out iPad IDs in numerical order, and then left the website open, allowing him (and a partner) to just increment by number and get back email addresses on everyone who owned an iPad. The feds seemed to argue that this was some nefarious evil hack, and Auernheimer was sentenced to 41 months in prison and has to pay $73,000 to AT&T (roughly the cost it took AT&T to inform its customers of its own bone-headed lack of security). So much about this case is ridiculous, and it's complicated by the fact that nearly everyone agrees that weev is a world-class jerk. But, you need to separate that out from the details of what he did here, to note that it was nothing particularly special, and it involved the sort of thing that security researcers do all the time, and which all sorts of non-security researchers do quite often.

Auernheimer is appealing, and the DOJ filed its brief a week and a half ago. It took me until this weekend to finally have the time to dig into the full 133 pages, to realize just how ridiculous the whole thing is. Tim Lee, over at The Switch has a great explanation of what's going on here aimed at less technologically savvy folks. Meanwhile, Robert Graham has an equally fantastic writeup for the slightly more technically savvy world over at Errata Security.

We'll dig into some of the details in a bit, but as Graham points out, the feds somewhat obnoxiously nearly doubled the word limit imposed by the Third Circuit (the brief is 26,495, but the court only allows 14,000 as an upper limit). This is ridiculously unfair, because it lets the DOJ go on, at length, making claims that are almost wholly untrue, and at times ridiculous, while weev's lawyers were hamstrung in limiting what they could put in their own brief. Welcome to the criminal justice system where the DOJ still seems to think it gets to play by its own rules.

And, really, that's the most ridiculous part of all of this, because while the DOJ wants to play by its own rules, nearly its entire argument against Auernheimer is that he "didn't play by the rules" where "the rules" it's talking about aren't actual rules at all, but rather what the DOJ makes up in the minds of some clearly technologically-illiterate lawyers.

The short version is that the government's case is quite scary in the way it portrays weev's actions -- such that it could easily criminalize all sorts of things. For example, it goes on about changing the user-agent, as if this is some awful thing and a form of "lying."

Spitler changed the user agent in his Account Slurper program in order to trick the servers into thinking that he was using an iPad.... He “lied to the AT&T servers” in order to get the information.... Spitler gathered this information without asking for permission from AT&T or from any of the iPad users that he was impersonating.... AT&T did not design its system to allow these email addresses to be made public.

There are so many problems with this. First, there are no hard and fast rules about user-agents that suggest this sort of thing is breaking the law. As both Graham and Lee point out, if "faking" the user-agent is a form of "lying," nearly every browser does that and has for years. That's because years ago, Microsoft added "Mozilla" to its user-agent since many websites optimized for different browsers, and Microsoft wanted servers to believe it was competitor Netscape, which many sites had designed to be nicer. So pretty much all browsers "lie." Hell, for many years I've personally used "user agent switcher," a plugin for browsers, to change my browser user agent at times, mostly for simple testing on certain websites, and sometimes for reporting purposes (to see how different sites provide different info to different browsers). I never thought I was "lying" or coming close to committing a crime. It's just a bit of info a browser, or other piece of software, sends to a server to get information returned.

Similarly, the idea that AT&T "did not design its system to allow these email addresses to be made public" is simply, empirically, false. If they hadn't designed it that way, then weev and his partner wouldn't have been able to access it the way they did. The problem was clearly AT&T totally failed to lock down this system. Furthermore, they didn't need to "ask permission" because they sent a request to the server and the server answered. If they didn't have permission, the server would have rejected the request. It didn't. The problem was very clearly AT&T's. To charge weev with criminal charges for this is really insane.

Changing the user agent isn't breaking any "rules" -- except in the mind of the DOJ.

The DOJ really stretches to try to paint the actions by Auernheimer's partner as some masterful "hack" when the details suggest otherwise. The brief goes on at length about all the "steps" that Daniel Spitler had to go through to get access to the information, but most of the "steps" are ridiculously padded, because they have nothing to do with the "hack" itself, but were merely about Spitler trying to setup his computer to act like an iPad. That might sound odd and involved to the clueless lawyers at the DOJ, but this sort of thing is done all the freaking time by security researchers. That's how they can more easily test stuff out, by getting their computers to act like other machines. In theory, I guess, Spitler could have done the whole thing via an iPad, but what's the point? The whole idea was, in part, looking for security vulnerabilities. The fact that it took Spitler a bit of time and effort to get his computer to emulate an iPad has nothing to do with the scanning itself, but the DOJ uses it as if it shows how "difficult" AT&T made it to find these emails. That's wrong. AT&T made it quite easy to find the emails. The fact that Spitler had some trouble getting a computer to emulate an iPad is a totally separate issue.

From there, the DOJ starts playing dirty, pretending that because judicial law clerks can't find the same kind of security hole, it somehow means that Spitler and Auernheimer were up to no good:

If an ordinary, but reasonably sophisticated computer user, like a typical judicial law clerk, had been assigned the task of compiling a list of e-mail addresses of iPad users available on AT&T’s servers, he almost certainly would not have been able to duplicate what Spitler did. The law clerk would likely go to AT&T’s website and search in vain for any links or other means to access this information. No hyperlinks or search engine requests would have produced the desired results.

This is really obnoxious. The US Attorneys working on this case know that a judicial law clerk is going to make the key call on this case, and this is a way to flatter those law clerks, claiming that they're "sophisticated computer users." But a "sophisticated computer user" is quite different from a security researcher or a higher level technically proficient user. The fact that they couldn't find this info via a search engine is meaningless. No one is arguing that the info was available via search -- but rather that it was incredibly wide open because of a security hole, and yes, you'd need some level of technical proficiency to figure it out, but as far as I know there's no law making it illegal to be more technically proficient than a law clerk.

Later, the DOJ argues that using the ICC-ID number, which AT&T assigned incrementally is the equivalent of using a password. They're apparently not joking:

The argument that the ICC-ID “is not a password,” begs the question of what counts as a “password.” Wikipedia defines a “password” as “a secret word or string of characters used for user authentication to prove identity or access approval to gain access to a resource (example: an access code is a type of password), which should be kept secret from those not allowed access.”... MK makes the facile argument that an ICC-ID is not a password because it is frequently printed on the outside of phone packaging, and thus is not secret. But that cannot be correct. Combinations to locks are often printed on the packaging, but the combination nevertheless is the secret “password” that opens the lock. Openness to the public prior to purchase is irrelevant, because after purchase the combination becomes the owner’s secret. So too with an ICC-ID. Once a phone or other device using an ICC-ID is purchased, no one can easily learn the ICC-ID unless he or she actually possesses it.

Try not to guffaw. Yes, even though the ICC-ID is just an incremental number, permanently stuck to a device, and is permanently printed on the device, the DOJ is insisting that it's still just like a password. The fact that combinations are printed on packaging is meaningless, because it's not meant to be left on the lock. Furthermore, this totally ignores the fact that the ICC-IDs were incremental. If AT&T had intended them to be secret, rule number one would have been to use a system that you couldn't guess others accounts merely by adding one. And it gets worse:

An ICC-ID, unlike a password, is a unique identifier. In that regard, when it is used to gain access to a server, it can be even more secure than a password chosen by a user, which frequently can be guessed. Certainly a 19 or 20 digit ICC-ID is harder to guess using brute force than a typical four-digit ATM access code, misuse of which would certainly constitute a CFAA violation.

Except, uh, that's not how an ATM card password works (and, yes, ATM cards are not particularly secure). You don't put your ATM card into a machine and it automatically reads the code off the card and lets you into your account. That is, the PIN code is designed to be separate from the card, with the idea being that to get into your account you need both something physical and something in your head. The ICC-ID isn't like that. It was designed to let the user automatically access their account without a password. There wasn't that second "thing in your head" that makes a password a password.

From there, the DOJ tries to attack the fact that the "hack" was merely adjusting the URL incrementally to access each account. It does this by arguing that because SQL injection attacks can happen via a URL, therefore any "hack" via a URL can be a malicious hack.

For example, Albert Gonzalez was the mastermind of a credit card theft ring responsible for reselling more than 170 million credit card and ATM numbers from 2005 through 2007, the largest such fraud in history.... Gonzalez’s ring used what is known as an SQL injection attack, which can be performed by entering an “address” in a URL or entering data in publicly facing web forms. In many common SQL injection attacks, the challenge for the hackers is to determine the correct characters to send to the network’s database storing the data the attacker intends to exfiltrate. However, once the vulnerability is determined and the appropriate combination of characters is discovered, many SQL injection attacks can be reduced to a URL because malicious code entered into a form field in a website is often delivered to the victim’s network from the attacker’s computer in the form of a URL that includes within it the malicious string.

But, an SQL injection attack is very very different than merely incrementing a number in a URL. Yet, the DOJ wants to equate the two. That's crazy. It goes on to try to link the two things much more closely:

And the result of these attacks, like the result in SQL injections, is that the browser returns unauthorized data from a database. An SQL injection attack is among the most dangerous and notorious hacks used today...

Sure, an SQL injection attack can be "dangerous and notorious," but that's because it's entirely different than incrementing a number. An SQL injection to gain much more power over an entire server is not the same as just flipping through pages that are easily available. The attempt to link the two is crazy, but certainly could be used to mislead a less technically savvy "law clerk," for example.

Later, the DOJ further argues Auernheimer and Spitler were guilty of bad things because they didn't contact AT&T, but rather purposely chose to go to the press (specifically, Gawker) to publicize the discovery of the security vulnerability. While it's true that it's common to alert a company ahead of time, the fact that they didn't do this is kind of meaningless here. If they were really up to no good, they wouldn't have publicized the vulnerability at all. Yes, they sought to "benefit" from it: they wanted to use it to get attention for their security work at Goatse Security. But using the discovery of a security vulnerability to help get attention for their own security research operation doesn't seem like evidence of nefarious intent. In fact, it seems like exactly the opposite. Then there's this craziness:

The groups of security researchers and computer professionals who have filed amicus briefs in this case need not be troubled by this prosecution of this black hat hacker. Major technology companies today – Microsoft, Google, Facebook, PayPal, and Mozilla, to name a few – all pay bounties to white hat hackers who find flaws in their systems and thereby help keep them secure. The Government is not aware of any instance in which a security researcher who followed the rules of ethical hacking was prosecuted for violating the CFAA. Often, when a white hat hacker discovers and reports a security flaw, he is rewarded financially for his work by the company that he has hacked. But no one, not even a white hat hacker, gets to make his own rules.

Except, as Graham notes, the list above is the entire list of tech companies who pay bounties to white hat hackers. Most tech companies don't do that, including... AT&T. Furthermore, Graham highlights this wacky line: "The Government is not aware of any instance in which a security researcher who followed the rules of ethical hacking was prosecuted for violating the CFAA." Yes, they're back to their made up "rules." As Graham points out in response:

This is circular logic, saying that people who follow the rules don't break the rules. When the prosecutors make the arbitrary decision that you've violated the CFAA, they'll likewise decide that you don't follow the rules of ethical hacking. Such circular logic is the basis for the prosecutor's entire argument: Weev is a bad guy because he's a bad guy.

When that's the way the law is read, you no longer have the rule of law. And that's why the case against Auernheimer is so ridiculous. It only works if the feds get to make up the rules as they go along, and argue that something is wrong, because they say it's wrong.

Filed Under: andrew auernheimer, authorized access, cfaa, daniel spitler, doj, hacking, security research, user agent, weev
Companies: at&t

Orin Kerr And Members Of The EFF Representing AT&T Hacker 'Weev' Pro Bono During His Appeal

from the and-hopefully,-head-off-further-damaging-CFAA-precedent dept

Andrew "Weev" Auernheimer is appealing his 41 month prison sentence (and its accompanying fine of $73,000). Many members of the security community have expressed concern with this ruling, especially in light of other CFAA cases. Auernheimer's exposure of AT&T's security hole doesn't really seem like the sort of thing that should be punished, at least not with multiple years in jail and a hefty fine. Then there's the unsettling feeling that the US prosecutors pushed hard for a prison sentence because they found Weev unlikable.

Fortunately for Weev (and others who have or will run afoul of the CFAA), Orin Kerr has stepped up to offer pro bono representation in Auernheimer's appeal (along with members of the EFF). Kerr, most recently spotted here going head-to-jackass with Rep. Gohmert over the legality of "destroying" a hacker's computer, has a very thorough post discussing his reasons for joining the fray. Basically, it boils down to this: nearly everything about the government's decision is wrong, which is problematic if this ruling is going to be used as precedent in future CFAA cases.

In the government’s view, visiting the URLs was an unauthorized access of AT&T’s website. But I think that’s wrong. At bottom, the conduct here was visiting a public website. As the Sixth Circuit stated in Pulte Homes, Inc. v. Laborers’ International Union Of North America, 648 F.3d 295 (6th Cir. 2011), everyone is authorized to visit an “unprotected website” that is “open to the public.” The fact that AT&T would not have wanted Spitler to visit those particular URLs doesn’t make visiting the public website and collecting the information a criminal unauthorized access. If you make information available to the public with the hope that only some people would bother to look, it’s not a crime for other people to see what you make available to them.

According to Kerr, undesirable access does not equal unauthorized access. The URLs were publicly available due to AT&T's own carelessness. What this actually looks like is the vindictive pursuit of an individual for publicly embarrassing the company. But it's not all on AT&T. The prosecutors themselves had to do a bit of creative sentencing to arrive at a "suitable" punishment for Weev's "hack."

Unauthorized access is ordinarily a misdemeanor. Why is this crime a felony? Here’s the government’s remarkable theory. All 50 states have state unauthorized access computer crime statutes similar to the federal unauthorized access statute. The government’s theory is that this overlap turns essentially all federal CFAA misdemeanors into federal felonies. They rely on 18 U.S.C. 1030(C)(2)(B)(ii), which states that a misdemeanor unauthorized access becomes a felony when it is “in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” The government argues that the existence of state unauthorized access crimes transform unauthorized access misdemeanor crimes into felonies: The overlap means that every federal unauthorized access crime is a federal crime “in furtherance of” the analogous state crime.

As Kerr states, this is nothing more than disingenuous double-counting being done for no other reason than to make the charges carry some weight. A misdemeanor results in a slap on the wrist, something that would hardly make AT&T happy. This isn't Kerr's (or the government's) first experience with hacking-related double-counting.

Back in 2011, Sarah Palin's email account was hacked and the Justice Department attempted to charge the hacker under two overlapping laws: "hacking into a computer" and "hacking an email account." This was overturned on appeal by the Fourth Circuit court, stating that the Justice Department's attempt to double dip a single action violated US principles on double jeopardy. This situation is more of the same, only with a convenient overlap of federal and state laws allowing prosecutors to ratchet up the charges from a misdemeanor to a full-blown felony.

In addition to these problems, Kerr also finds some jurisdictional issues at play. Even though none of the principals are located in New Jersey, the charges were brought in that state. The rationale? Some of the email addresses belonged to New Jersey residents. This paper-thin justification for filing charges in a pretty much unrelated state gives the appearance of prosecutorial venue shopping.

The most ridiculous aspect of the case is Kerr's final reason for stepping in: the sentence.

The largest part of Auernheimer’s sentence was due to an alleged $73,000 in loss suffered by AT&T. Under the provisions of the Sentencing Guidelines associated with 18 U.S.C. 1030, sentences are based primarily on the amount of loss caused by the crime. More dollar loss to the victim means more time in prison for the defendant.

AT&T claims it incurred costs of $73,000 due to Auernheimer's actions. But it claimed no loss to its computers, it suffered no downtime and lost no data. The only assertion of loss comes via AT&T's efforts to notify customers of the data breach.

First, AT&T notified its customers by e-mail. That was free, leading to a “cost” so far of zero. But then AT&T decided to follow-up the e-mail notification with paper letter notification, and the postage and paper costs amounted to about $73,000.

That's right. Auernheimer has to repay AT&T for envelopes and stamps with $73,000 of his own money -- and 3-1/2 years of his life. As Kerr points out, AT&T cannot reasonably pin this notification expense on Auernheimer as these costs are not "directly attributable" to the defendant's access of its supposedly off-limits URLs. Furthermore, Kerr says these costs are not "reasonable," considering AT&T's electronic notice to its customers was largely successful. In essence, Weev is doing time because he raided AT&T's petty cash box by proxy. Hopefully, this appeal will overturn this misguided sentence and prevent the CFAA from becoming an even worse law, thanks to the precedent set by this decision.

Filed Under: andrew auernheimer, cfaa, eff, orin kerr, weev

Expose A Blatant Security Hole In AT&T's Servers, Get 3.5 Years In Jail

from the now-the-holes-will-be-open-longer dept

We've written a few times about the case of Andrew Auernheimer, perhaps better known as weev. While he has a bit of a reputation as an online troll, and self-admitted jerk, his case is yet another example of how ridiculously broken the CFAA (Computer Fraud and Abuse Act) remains. In this case, what he did was expose a pretty blatant security hole in AT&T's servers, that allowed anyone to go in and find the emails of any AT&T iPad owner, merely by incrementing the user ID. This isn't a malicious "hack." It's barely a "hack" at all. This isn't "breaking in." This is just exploring a totally broken system. To call attention to this, weev collected information on a bunch of famous folks who had iPads and alerted the press. This is what security folks do all the time. And for his troubles in helping AT&T discover and close a pretty bad security hole, he's been sentenced to 41 months in prison plus he has to pay $73,000 to AT&T. One hopes AT&T will use it to hire half a decent security person or something.

The sentencing, by the way, was near the top of the "guidelines" the judge had, for those who insisted that the courts in other CFAA cases, such as Aaron Swartz's might be lenient.

Plenty of people -- especially in the security community, are realizing what a ridiculous ruling this is and how dangerous it is. As people are starting to point out, while he may be a jerk, that doesn't mean he's a criminal. The prosecution used chat logs in which Auernheimer and a friend, Daniel Spitler, discussed the effort, and the fact that they talked about harming AT&T's reputation and promoting themselves as security experts. I don't see how that leads to any criminal activity though. AT&T's reputation should be tarnished for having crap security. And why wouldn't some researchers talk about using the discovery of a really bad privacy hole by a major corporation to boost their own credentials. Pretty much anyone in their shoes would reasonably think the same thing.

Prosecutors, of course, played up Auernheimer's history of being a jerk, but that alone has little to do with his actions here:

"His entire adult life has been dedicated to taking advantage of others, using his computer expertise to violate others' privacy, to embarrass others, to build his reputation on the backs of those less skilled than he," wrote U.S. Attorney Paul Fishman, who went on to note the "atypical recalcitrance by the defendant to conform to the laws regarding unauthorized computer access."

While that may be true, none of that, by itself, is illegal. And the actions that exposed a glaring hole put in place by bad programmers at AT&T shouldn't be either.

Filed Under: andrew auernheimer, cfaa, hacking, jailtime, research, security, weev
Companies: at&t

Expose Blatant Security Hole From AT&T... Face Five Years In Jail

from the security-through-threat-of-intimidation dept

A few years ago, we wrote about some hackers who exposed a really basic security flaw in AT&T's setup for iPad users. Basically, if you fed an ID to a website, it would return the email address of the account. And, on top of that, AT&T appeared to hand out the IDs in numerical order, so it was easy to just run through a bunch of IDs in order and collect a ton of users' info. And that's what these hackers did -- collecting a variety of emails including the President of News Corp., the CEO of Dow Jones and Mayor Bloomberg in New York. They got lots of other government officials as well: "Rahm Emanuel and staffers in the Senate, House of Representatives, Department of Justice, NASA, Department of Homeland Security, FAA, FCC, and National Institute of Health, among others."

This seemed like a pretty massive flaw in the design of the system by AT&T... but of course, all of the blame is falling on the guys who exposed the hole. It seems noteworthy that the pair of hackers who exposed this are known for trollish online behavior, and Andrew Auernheimer, who goes by the name weev, has flat out called himself an internet troll. It seems that the FBI decided to use the trollish nature of Auernheimer and collaborator Daniel Spitler to argue that this hack actually violated the incredibly poorly-worded and misunderstood Computer Fraud and Abuse Act (CFAA). That's a law that we've been discussing for a few years now, as law enforcement and courts keep trying to stretch the definition of what counts as "unauthorized access" under the bill.

Unfortunately, in this case, a jury was convinced that the discovery of this security hole left by AT&T was actually a crime, and Auernheimer is now facing five years in jail. Not surprisingly, he plans to appeal. Of course, part of the issue is that Auernheimer discussed, but did not actually do, a variety of bad things he could have done with the data in question, before eventually just revealing the security hole to the media.

Obviously, there may be a fine line between "white hat" exposure of security flaws and nefarious activity, but given that all that really happened here was the exposure of really poorly thought-out programming by AT&T, it seems bizarre that the guy who exposed it is now facing years in jail.

Filed Under: andrew auernheimer, ipad, security hole, user ids, weev
Companies: apple, at&t