"What we found was the attackers were actually looking for the accounts that we had lawful wiretap orders on," Aucsmith says. "So if you think about this, this is brilliant counter-intelligence. You have two choices: If you want to find out if your agents, if you will, have been discovered, you can try to break into the FBI to find out that way. Presumably that's difficult. Or you can break into the people that the courts have served paper on and see if you can find it that way. That's essentially what we think they were trolling for, at least in our case."

Defenders of the FBI proposal tend to pooh-pooh security concerns raised about requirisng such backdoors: Our brilliant American programmers, they assert, will find ways to enable wiretapping without creating new vulnerabilities. But if a company like Google, with its massive financial resources and a stable of some of the smartest coders anywhere, can be victimized in this way, how realistic is it to expect thousands of Internet startups to achieve better security?

The unprotected TerraCom and YourTel records came to light through the simplest of tools: a reporter’s Google search of TerraCom.

The records include 44,000 application or certification forms and 127,000 supporting documents or “proof” files, such as scans or photos of food-stamp cards, driver’s licenses, tax records, U.S. and foreign passports, pay stubs and parole letters. Taken together, the records expose residents of at least 26 states.

The application records, drawn from 18 of those states and generally dated from last September through November, list potential customers’ names, signatures, birth dates, home addresses and partial or full Social Security numbers. The proof files, from last September through April, include residents of at least eight remaining states.

However, Vcare and the two telecom companies assert that the reporters "hacked" their way into the data using "automated" methods to access the data. And what was this malicious hacking tool that penetrated the security of Vcare's servers? In a letter sent to Scripps News by Jonathan D. Lee, counsel for both of the cell carriers, Lee said that Vcare's research had shown that the reporters were "using the 'Wget' program to search for and download the Companies' confidential data." GNU Wget is a free and open source tool used for batch downloads over HTTP and FTP. Lee claimed Vcare's investigation found the files were bulk-downloaded via two Scripps IP addresses.

I know that already and I have same thoughts like you freedom and respecting privacy, actually Saudi has a big terrorist problem and they are misusing these services for spreading terrorism and contacting and spreading their cause that’s why I took this and I seek your help. If you are not interested than maybe you are on indirectly helping those who curb the freedom with their brutal activities.

Forgetting the question of legality, I hope that we can collectively look at this changing dynamic and perhaps re-evaluate what we culturally reward. I’d much rather think about the question of exploit sales in terms of who we welcome to our conferences, who we choose to associate with, and who we choose to exclude, than in terms of legal regulations. I think the contextual shift we’ve seen over the past few years requires that we think critically about what’s still cool and what’s not.

Maybe this is an unpopular opinion and the bulk of the community is totally fine with how things have gone (after all, it is profitable). There are even explicitly patriotic hackers who suggest that their exploit sales are necessary for the good of the nation, seeing themselves as protagonists in a global struggle for the defense of freedom, but having nothing to do with these ugly situations in Saudi Arabia. Once exploits are sold to US defense contractors, however, it’s very possible they could end up delivered directly to the Saudis (eg, eg, eg), where it would take some even more substantial handwaving to think that they’ll serve in some liberatory way.

“I’m being arrested federally for winning on a slot machine,” he said. “It’s just like if someone taught you how to count cards, which we all know is not illegal. You know. Someone told me that there are machines that had programming that gave a player an advantage over the house. And that’s all there is to it.…

“Who would not win as much money as they could on a machine that says, ‘Jackpot’? That’s the whole idea!”

In short, the casinos authorized defendants to play video poker. What the casinos did not do was to authorize defendants ‘to obtain or alter information’ such as previously played hands of cards. To allow customers to access previously played hands of cards, at will, would remove the element of chance and obviate the whole purpose of gambling. It would certainly be contrary to the rules of poker.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

According to the Privacy Rights Clearinghouse, the loss or improper disposal of paper records, portable devices like laptops or memory sticks, and desktop computers have accounted for more than 1,400 data-breach incidents since 2005 -- almost half of all the incidents reported. More than 180,000,000 individual records were compromised in these breaches...

It is the hacker -- a sort of modern folk devil who personifies our anxieties about technology -- who gets all the attention. The result is a set of increasingly paranoid and restrictive laws and regulations affecting our abilities to communicate freely and privately online, to use and control our own technology, and which puts users at risk for overzealous prosecutions and invasive electronic search and seizure practices. The Computer Fraud and Abuse Act, the cornerstone of domestic computer-crime legislation, is overly broad and poorly defined. Since its passage in 1986, it has created a pile of confused caselaw and overzealous prosecutions.

Many members of the American public are already convinced something should be done about hackers. Many of our representatives feel the same way. A lack of knowledge of the underlying technology, much less the methods or culture, hasn't deterred legislators from crafting an overbroad response with the CISPA bill. Examining the issues more closely or reconsidering the legislation doesn't seem to be an option. After all, a "cyber Pearl Harbor" is all but inevitable, a conclusion confirmed by shouting "HACKER!" in the halls of Congress and hearing it echoed back by like-minded representatives, sympathetich government agencies, the media and a subset of the American public.

In the effort to protect society and the state from the ravages of this imagined hacker, the US government has adopted overbroad, vaguely worded laws and regulations which severely undermine internet freedom and threaten the Internet's role as a place of political and creative expression.

UK Parking Control (UKPC) is accused of revealing photographs of Brits' cars parked with number plates clearly to be read and in some cases the location revealed. In some images it's alleged that other details such as identification cards, shopping or belongings are clearly visible. Campaigners against private parking firms believe these images - allegedly made easily accessible to anyone on the UKPC website - exposed drivers' personal information.

[O[ne ticket recipient claimed to have found that by tweaking values in this web address, he could access thousands of other digital photographs of other people's vehicles... Some shots show personal items on view inside the vehicles, such as an ID card placed next to a disabled-driver badge.

The Computer Fraud and Abuse Act is the law under which Aaron Swartz and other innovators and activists have been threatened with decades in prison. The CFAA is so broad that law enforcement says it criminalizes all sorts of mundane Internet use: Potentially even breaking a website's fine print terms of service agreement. Don't set up a Myspace page for your cat. Don't fudge your height on a dating site. Don't share your Facebook password with anybody: You could be committing a federal crime. (Read more here.)

It's the vagueness and over breadth of this law that allows prosecutors to go after people like Aaron Swartz, who tragically committed suicide earlier this year. The government threatened to jail him for decades for downloading academic articles from the website JSTOR.

Since Aaron's death, activists have cried out for reform of the CFAA. But members of the House Judiciary Committee are actually floating a proposal to expand and strengthen it -- that could come up for a vote as soon as April 10th! (Read more here.)

In my capacity as First Assistant United States Attorney, I have been shown various harassing and potentially threatening email messages directed at United States Attorney Ortiz and the United States Attorney’s Office following Mr. Swartz’s suicide.

Attached at Tab E are copies of the following articles:

a. Swartz case protest at Boston US Attorney’s Home, The Boston Globe, March 12, 2013; and
b. Swartz protesters go to prosecutor’s home, The Boston Globe, March 17, 2013.

In my capacity as First Assistant, I have been shown various harassing and threatening messages directed at AUSA Heymann. One such email I have seen states, among other things:

ROFLMAO just saw you were totally dox’d over the weekend by Anonymous. How does it feel to become an enemy of the state? FYI, you might want to move out of the country and change your name . . .

That same email copies personal information of AUSA Heymann, including his home address and personal telephone number, among other things. AUSA Heymann has also reported to me that his personal information (including his home address, personal telephone number, and the names of family member and friends) were posted online, and that his Facebook page was hacked.

Attached at Tab F is a redacted copy of a postcard that AUSA Heymann has informed me he received at his home.

Attached at Tab G is a copy of a postcard that Professor Philip Heymann has informed me he received.

Against that background, the following news from The Verge about an attempt to pin down what exactly "cyberwar" might be, is particularly interesting:

A landmark document created at the request of NATO has proposed a set of rules for how international cyberwarfare should be conducted. Written by 20 experts in conjunction with the International Committee of the Red Cross and the US Cyber Command, the Tallinn Manual on the International Law Applicable to Cyber Warfare analyzes the rules of conventional war and applies them to state-sponsored cyberattacks.

That's because conventional war makes a distinction between combatants -- those fighting in regular armies -- and those who are "unprivileged belligerents". The difference is crucial: the former enjoy important rights, for example to be treated as prisoners of war if captured, whereas "unprivileged belligerents" do not. The distinction between the two groups is relatively obvious in traditional warfare, where combatants are organized and subject to clear command structures. Hacktivists, by contrast, may decide to defend their country by taking part in group attacks from their home or from a local café, say; the issue then becomes whether or not they are to be considered combatants with rights, or "unprivileged belligerents" without them.

The following section from the Tallinn Manual shows the experts floundering here -- and just how hard it is to come up with sensible rules for this "cyberwar" stuff:

Combatant status requires that the individual wear a 'fixed distinctive sign'. The requirement is generally met through the wearing of uniforms. There is no basis for deviating from this general requirement for those engaged in cyber operations. Some members of the International Group of Experts suggested that individuals engaged in cyber operations, regardless of circumstances such as distance from the area of operations or clear separation from the civilian population, must always comply with this requirement to enjoy combatant status.

So if you're ever tempted to engage in a little patriotic hacking into enemy computers, please don't forget to put on your uniform first...

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Stretching the ancient doctrine of trespass to chattels to apply to Internet activities has been an experiment in law-making. Unfortunately, I think the experiment has failed completely. The CFAA and state computer crime laws initially were designed to restrict hackers from breaching computer security—a sensible objective that, as I discuss below, should be preserved. The expansion of these laws to cover all sending or receiving of data from an Internet-connected server hasn’t worked...

Indeed, because legal doctrines already overlap so extensively, we almost never see an online trespass to chattels claim asserted on a standalone basis. Instead, an online trespass to chattels claim is usually just one of numerous legal violations asserted against the defendant. These doctrinal overlaps mean we usually don’t need online trespass to chattels either to supplement the more squarely applicable claims or to act as a “gap-filler” to plug the rare and narrow holes left by the other legal doctrines.

1) Repeal most provisions of the CFAA (that don't relate to government-run computers) and preempt all analogous state laws, including state computer crime laws and common law trespass to chattels as applied online. Note: without dealing with analogous state laws, reforming the CFAA is an incomplete solution.

2) Retain only the (A) restrictions on criminal hacking, which I would define as the defeat of electronic security measures for the goal of fraud or data destruction (and some of these efforts are already covered by other laws like the Electronic Communications Privacy Act), and (B) restrictions on denial-of-service attacks, which I would define as the sending of data or requests to a server with the intent of overloading its capacity.

3) Eliminate all civil claims for this conduct, so that only the federal government can enforce violations.

4) Specify that any textual attempts to restrict server usage fail unless the terms are presented in a properly formed contract (usually, a mandatory click-through agreement).

Rep. Gohmert: It's my understanding that under 18 USC 1030 that it is a criminal violation of law to do anything that helps take control of another computer, even for a moment. Is that your understanding?

Orin Kerr: It depends exactly what you mean by "taking control." If "taking control" includes gaining access to the computer, assuming a network your not supposed to take control of, then yes, that would clearly be prohibited by the statute.

Rep. Gohmert: For example, my understanding is that there was a recent example where someone had inserted malware on their own computer, such that when their computer was hacked and the data downloaded, it took the malware into the hacker's computer, such that when it was activated, it allowed the person whose computer was hacked to get a picture of the person looking at the screen. So they had the person who did the hacking, and actually did damage to all the data in the computer. Now, some of us would think 'that's terrific, that helps you get at the bad guys.' But my understanding is that since that allowed the hackee to momentarily take over the computer and destroy information in that computer and to see who was using that computer, then actually that person would have been in violation of 18 USC 1030. So I'm wondering if one of the potential helps or solutions for us would be to amend 18 USC 1030 to make an exception such that if the malware or software that allows someone to take over a computer is taking over a hacker's computer, that it's not a violation. Perhaps it would be like for what we do for assaultive offenses, you have a self-defense. If this is a part of a self-defense protection system, then it would be a defense that you violated 1030. Anybody see any problems with helping people by amending our criminal code to allow such exceptions or have any suggestions along these lines?

Orin Kerr: Mr. Gohmert, that's a great question that is very much debated in computer security circles. Because, from what I hear there is a lot of this "hacking back" as they refer to it. But at least under current law, it is mostly illegal to do that.... The real difficulty is in the details. In what circumstances do you allow someone to counterhack, how broadly are they allowed to counterhack, how far can they go? The difficulty, I think, is that once you open that door as a matter of law, it's something that can be difficult to cabin. So I think if there is such an exception, it should be quite a narrow one to avoid it from becoming the sort of exception that swallows the rule.

Rep. Gohmert: Well, I'm not sure that I would care if it destroyed a hacker's computer completely. As long as it was confined to that hacker. Are you saying we need to afford the hacker protection so we don't hurt him too bad?

Orin Kerr: (brief confounded look on his face) Uh... no. The difficulty is that you don't know who the hacker is. So it might be that you think the hacker is one person, but their routing communications... Let's say, you think you're being hacked by a French company, or even a company in the United States...

Rep. Gohmert: Oh and it might be the United States Government! And we don't want to hurt them if they're snooping on our people. Is that...?

Orin Kerr: No.

Rep. Gohmert: I don't understand why you're wanting to be protective of the hacker.

Orin Kerr: The difficulty is first, identifying who is the hacker. You don't know when someone's intruding into your network who's behind it. So all you'll know is that there's an IP address that seems to go back to a specific computer. But you won't know who it is who's behind the attack. That's the difficulty.

"His entire adult life has been dedicated to taking advantage of others, using his computer expertise to violate others' privacy, to embarrass others, to build his reputation on the backs of those less skilled than he," wrote U.S. Attorney Paul Fishman, who went on to note the "atypical recalcitrance by the defendant to conform to the laws regarding unauthorized computer access."

Yes, as Kionae alerts us, one (unplanned?) consequence of requiring online saves for your SimCity games is that anyone with a bit of hacking skill can visit your city, put some Blue Oyster Cult on in the background, and wreak the kind of havoc normally reserved for Japanese nuclear monsters. See, you can, were you so inclined, enter the save game city of another person, and then completely edit or destroy their loving creation like some kind of digital psuedo-god.

Just so we're clear, this is only possible because of the EA always-online requirement.

It's still awesome because this hack is only as destructive as it is because of EA's decision to make the game always-on. If the game hadn't had always-on DRM then this hack wouldn't be half as devastating as it is. Having EA delete these kind of topics from their forums is great damage control but don't be surprised if there's another furor when people start raging on the forums when some hacker decides to go through and Godzilla everyone's town. Enjoy.

"As soon as I open the front door, I hear this guy yelling at me, behind a squad car, pointing a pistol at me saying: 'Don't move. Put your hands up,'" Krebs, who is a long-time friend and colleague, told me. "The first thing I said was: 'You've got to be kidding me.'"

In all, there were at least a dozen officers with pistols, shotguns, and assault rifles pointed at him. They had police dogs circling his house and cruisers had sealed off a nearby street. Krebs, who was dressed in just gym shorts and a T-shirt, complied. Wisely.

"Two different guys were barking orders at me," he continued. "I finally said: 'Which way should I go?'" One officer told Krebs to lie on the ground, but before he could comply the other cop ordered Krebs to walk backwards. Eventually, "they put the cuffs on me and took me up the street. I was freezing the whole time."

After about five minutes in custody, Krebs explained that he was the victim of a monstrous crime known as swatting. One of the officers asked if Krebs was the person who had filed a report a few months earlier. When Krebs replied yes, the officers did a quick search of his home. With preparations for a dinner party clearly on display, it quickly became apparent that Krebs' home was not a crime scene and that the call was part of a fiendish plot. An officer told him later that they had tried calling him before he opened his front door but no one had answered the phone.

Often local police are left to investigate, even when the perpetrators may be half a world away. He wants that to change. "Your local police department, the ones that are responding to these distress calls, they don't have the bandwidth," he said. "This is an area where federal law enforcement needs to be coordinating investigations. I'd like to see some sort of recognition or statement from federal law enforcement that this is something they're actively investigating."

According to a federal indictment first obtained by the Huffington Post, Keys used a chat site to pass information to Anonymous. Using the name AESCracked, Keys handed over the login credentials and told hackers to "go fuck some shit up", the indictment says.

The hacker accessed at least one Los Angeles Times story and altered it, the charges say.

On the one hand, when compared what happened with Aaron Swartz, this is a step in the right direction. We're not talking about someone with positive intentions who walked the line between hacking and innovation, but someone who acted with obvious malice. But on the other hand, this highlights the big problem with federal hacking laws. The damage amounted to little more than inconvenience for a system administrator, making this essentially a case of small-scale vandalism—but because it involves computers, it's elevated to a federal crime. This really makes no sense. Computers and the internet are present in every part of life today, and computer crime can happen at every scale. In this case, it was the sort of reckless but small act of spite that would result in a much less serious punishment if it didn't happen online, and if it didn't allow the government to place Anonymous in the villain role of another story.

The case against Keys looks strong, and I'm guessing it will end with some sort of deal for a lesser punishment—possibly in exchange for information about other hackers. The real penalty will be the damage done to his career by this breach of trust (which further highlights the pointlessness of trying to put him in jail), but the biggest takeaway is that federal computer crime laws are in serious need of reform. Elevating the severity of simple crimes because they involve what is now one of the most common tools in the world is a senseless imbalance of justice, and makes it much harder to identify and combat serious crime online.

The idea is known as "active defense" to some, "strike-back" capability to others and "counter measures" to still more experts in the burgeoning cybersecurity field. Whatever the name, the idea is this: Don't just erect walls to prevent cyberattacks, make it more difficult for hackers to climb into your systems — and pursue aggressively those who do.

Some of those fears have reached Rep. Mike Rogers (R-Mich.), chairman of the chamber's Intelligence Committee and one of CISPA's lead authors. In fact, panel aides told POLITICO they're open to revising the relevant definitions in the bill. And Rogers himself this year has railed on the idea of an aggressive active defense, describing it as a "disaster for us" at a time when the country's digital defenses remain subpar.

In 2006, while a sophomore at Harvard, Zuckerberg created a website called “Facemash” which compared photographs of Harvard’s entire population, asking users to compare two photos and vote on who looked better. Zuckerberg allegedly got access to these photos by “hacking” into each of Harvard’s nine House websites and then collecting them all on one site. It’s not clear what this “hacking” was, but since the charges against him included “breaching security,” it may have fun afoul of the law.

Columbia Law Professor Tim Wu notes in the New Yorker that Apple co-founders Steve Jobs and Steve Wozniak, did acts that were “more economically damaging than, Swartz’s.” The two college roommates made what were called “blue boxes,” cheap devices that mimicked a certain frequency that allowed them to trick AT&T’s telephone system into making free long-distance calls. They also sold blue boxes before moving onto bigger and better ideas.

In his autobiography, Allen told the story of when the two future billionaires “got hold of” an administrator password at the company they worked at before starting Microsoft. The company had timeshared computers and Allen and Gates were getting charged for using them for their personal work.

The two men used the password to access the company's accounts and set about trying to find a free runtime account so that they could carry on programming without having to pay for the time. They also copied the account database for later perusal. However, management got wise to the plan.

"We hoped we'd get let off with a slap on the wrist, considering we hadn't done anything yet. But then the stern man said it could be 'criminal' to manipulate a commercial account. Bill and I were almost quivering."

“Experiences like that taught us the power of ideas…And if we hadn’t have made blue boxes, there would’ve been no Apple.”

The facts: AT&T admitted, at trial, that they “published” this data. Their words. Public-facing, programmatic accesses of APIs happen upwards of a trillion times per day. Twitter broke 13 billion on their API ages ago. This is something that happens more than the entire population of Earth, daily. The government has no problem with this up until you transform the output into something offensive to important people. People with “disruptive” startups, this is your fair warning: They are coming for you next.

The other one of my prosecutors, Zach Intrater, said that a comment I made about Goatse Security, my information security working group, starting a certification process to declare systems “goatse tight” was evidence of my intent to personally profit. For those not in on the joke: Goatse is an Internet meme referencing a man holding open his anus very widely. The mind reels.

I can’t survive like this. I am happy to be hitting a prison cell soon. They ruined my business. The feds get approval of who I can work for or with: they rejected one company because the CEO had a social network profile with an occupation listed as “hacker.” They prohibit me from touching any computer that isn’t federally monitored. I do my best to slang Perl code on an Android device to comply with my bail conditions. It isn’t pretty.

“It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed. He told me that I could go to jail for six to twelve months for what I had just done and if I didn’t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement.”

Two decades ago, the FBI complained it was having trouble tapping the then-latest cellphones and digital telephone switches. After extensive FBI lobbying, Congress passed the Communications Assistance for Law Enforcement Act (CALEA) in 1994, mandating that all telephone switches include FBI-approved wiretapping capabilities.

CALEA was justifiably controversial, not least because its requirement for “backdoors” across our communications infrastructure seemed like a security nightmare: How could we keep criminals and foreign spies from exploiting weaknesses in the new wiretapping features? Would we even be able to detect them when they did?

Those fears were soon borne out. In 2004, a mysterious someone — the case was never solved — hacked the wiretap backdoors of a Greek cellular switch to listen in on senior government officials … including the prime minister.

Think this could only happen abroad? Some years ago, the U.S. National Security Agency discovered that every telephone switch for sale to the Department of Defense had security vulnerabilities in their mandated wiretap implementations. Every. Single. One.

Here is where we need a better sense of justice, and shame. For the outrageousness in this story is not just Aaron. It is also the absurdity of the prosecutor’s behavior. From the beginning, the government worked as hard as it could to characterize what Aaron did in the most extreme and absurd way. The “property” Aaron had “stolen,” we were told, was worth “millions of dollars” — with the hint, and then the suggestion, that his aim must have been to profit from his crime. But anyone who says that there is money to be made in a stash of ACADEMIC ARTICLES is either an idiot or a liar. It was clear what this was not, yet our government continued to push as if it had caught the 9/11 terrorists red-handed.

Aaron had literally done nothing in his life “to make money.” He was fortunate Reddit turned out as it did, but from his work building the RSS standard, to his work architecting Creative Commons, to his work liberating public records, to his work building a free public library, to his work supporting Change Congress/FixCongressFirst/Rootstrikers, and then Demand Progress, Aaron was always and only working for (at least his conception of) the public good. He was brilliant, and funny. A kid genius. A soul, a conscience, the source of a question I have asked myself a million times: What would Aaron think? That person is gone today, driven to the edge by what a decent society would only call bullying. I get wrong. But I also get proportionality. And if you don’t get both, you don’t deserve to have the power of the United States government behind you.

In that world, the question this government needs to answer is why it was so necessary that Aaron Swartz be labeled a “felon.” For in the 18 months of negotiations, that was what he was not willing to accept, and so that was the reason he was facing a million dollar trial in April — his wealth bled dry, yet unable to appeal openly to us for the financial help he needed to fund his defense, at least without risking the ire of a district court judge. And so as wrong and misguided and fucking sad as this is, I get how the prospect of this fight, defenseless, made it make sense to this brilliant but troubled boy to end it.

Mr. Swartz's lawyer, Elliot Peters, first discussed a possible plea bargain with Assistant U.S. Attorney Stephen Heymann last fall. In an interview Sunday, he said he was told at the time that Mr. Swartz would need to plead guilty to every count, and the government would insist on prison time.

Mr. Peters said he spoke to Mr. Heymann again last Wednesday in another attempt to find a compromise. The prosecutor, he said, didn't budge

The government indicated it might only seek seven years at trial, and was willing to bargain that down to six to eight months in exchange for a guilty plea, a person familiar with the matter said. But Mr. Swartz didn't want to do jail time.

"I think Aaron was frightened and bewildered that they'd taken this incredibly hard line against him," said Mr. Peters, his lawyer. "He didn't want to go to jail. He didn't want to be a felon."

I know a criminal hack when I see it, and Aaron’s downloading of journal articles from an unlocked closet is not an offense worth 35 years in jail.

The facts:

• MIT operates an extraordinarily open network. Very few campus networks offer you a routable public IP address via unauthenticated DHCP and then lack even basic controls to prevent abuse. Very few captured portals on wired networks allow registration by any vistor, nor can they be easily bypassed by just assigning yourself an IP address. In fact, in my 12 years of professional security work I have never seen a network this open.
• In the spirit of the MIT ethos, the Institute runs this open, unmonitored and unrestricted network on purpose. Their head of network security admitted as much in an interview Aaron’s attorneys and I conducted in December. MIT is aware of the controls they could put in place to prevent what they consider abuse, such as downloading too many PDFs from one website or utilizing too much bandwidth, but they choose not to.
• MIT also chooses not to prompt users of their wireless network with terms of use or a definition of abusive practices.
• At the time of Aaron’s actions, the JSTOR website allowed an unlimited number of downloads by anybody on MIT’s 18.x Class-A network. The JSTOR application lacked even the most basic controls to prevent what they might consider abusive behavior, such as CAPTCHAs triggered on multiple downloads, requiring accounts for bulk downloads, or even the ability to pop a box and warn a repeat downloader.
• Aaron did not “hack” the JSTOR website for all reasonable definitions of “hack”. Aaron wrote a handful of basic python scripts that first discovered the URLs of journal articles and then used curl to request them. Aaron did not use parameter tampering, break a CAPTCHA, or do anything more complicated than call a basic command line tool that downloads a file in the same manner as right-clicking and choosing “Save As” from your favorite browser.
• Aaron did nothing to cover his tracks or hide his activity, as evidenced by his very verbose .bash_history, his uncleared browser history and lack of any encryption of the laptop he used to download these files. Changing one’s MAC address (which the government inaccurately identified as equivalent to a car’s VIN number) or putting a mailinator email address into a captured portal are not crimes. If they were, you could arrest half of the people who have ever used airport wifi.
• The government provided no evidence that these downloads caused a negative effect on JSTOR or MIT, except due to silly overreactions such as turning off all of MIT’s JSTOR access due to downloads from a pretty easily identified user agent.
• I cannot speak as to the criminal implications of accessing an unlocked closet on an open campus, one which was also used to store personal effects by a homeless man. I would note that trespassing charges were dropped against Aaron and were not part of the Federal case.

In short, Aaron Swartz was not the super hacker breathlessly described in the Government’s indictment and forensic reports, and his actions did not pose a real danger to JSTOR, MIT or the public. He was an intelligent young man who found a loophole that would allow him to download a lot of documents quickly. This loophole was created intentionally by MIT and JSTOR, and was codified contractually in the piles of paperwork turned over during discovery.

Given the disclosures by Swartz's expert, Alex Stamos, which are linked at the beginning of this post, it seems that Swartz had a strong argument that he did indeed have "authorization." As Stamos says, at the time of Swartz's downloads, "the JSTOR website allowed an unlimited number of downloads by anybody on MIT’s 18.x Class-A network" and "Aaron did not use parameter tampering, break a CAPTCHA, or do anything more complicated than call a basic command line tool that downloads a file in the same manner as right-clicking and choosing 'Save As' from your favorite browser."

Thus, all Swartz did was write a script to find and download the files. As a factual matter, that may have been "authorization," rendering it lawful everywhere. Even if the script was "exceeding authorization," if the First Circuit had adopted the same rule as the Fourth Circuit and the Ninth Circuit, then Swartz would likely have been not guilty as a matter of law. All of which further shows why this prosecution should not have been brought in the first place; the prosecutor is supposed to exercise their judgment to do justice.

Elliot Peters, Swartz's California-based defense attorney and a former federal prosecutor in Manhattan, told The Associated Press on Sunday that the case "was horribly overblown" because Swartz had "the right" to download from JSTOR, a subscription service used by MIT that offers digitized copies of articles from more than 1,000 academic journals.

Peters said even the company took the stand that the computer crimes section of the U.S. Attorney's Office in Boston had overreached in seeking prison time for Swartz and insisting , two days before his suicide , that he plead guilty to all 13 felony counts. Peters said JSTOR's attorney, Mary Jo White , the former top federal prosecutor in Manhattan , had called Stephen Heymann, the lead Boston prosecutor in the case.

"She asked that they not pursue the case," Peters said.