Expose A Blatant Security Hole In AT&T's Servers, Get 3.5 Years In Jail
from the now-the-holes-will-be-open-longer dept
We’ve written a few times about the case of Andrew Auernheimer, perhaps better known as weev. While he has a bit of a reputation as an online troll, and self-admitted jerk, his case is yet another example of how ridiculously broken the CFAA (Computer Fraud and Abuse Act) remains. In this case, what he did was expose a pretty blatant security hole in AT&T’s servers, that allowed anyone to go in and find the emails of any AT&T iPad owner, merely by incrementing the user ID. This isn’t a malicious “hack.” It’s barely a “hack” at all. This isn’t “breaking in.” This is just exploring a totally broken system. To call attention to this, weev collected information on a bunch of famous folks who had iPads and alerted the press. This is what security folks do all the time. And for his troubles in helping AT&T discover and close a pretty bad security hole, he’s been sentenced to 41 months in prison plus he has to pay $73,000 to AT&T. One hopes AT&T will use it to hire half a decent security person or something.
The sentencing, by the way, was near the top of the “guidelines” the judge had, for those who insisted that the courts in other CFAA cases, such as Aaron Swartz’s might be lenient.
Plenty of people — especially in the security community, are realizing what a ridiculous ruling this is and how dangerous it is. As people are starting to point out, while he may be a jerk, that doesn’t mean he’s a criminal. The prosecution used chat logs in which Auernheimer and a friend, Daniel Spitler, discussed the effort, and the fact that they talked about harming AT&T’s reputation and promoting themselves as security experts. I don’t see how that leads to any criminal activity though. AT&T’s reputation should be tarnished for having crap security. And why wouldn’t some researchers talk about using the discovery of a really bad privacy hole by a major corporation to boost their own credentials. Pretty much anyone in their shoes would reasonably think the same thing.
Prosecutors, of course, played up Auernheimer’s history of being a jerk, but that alone has little to do with his actions here:
“His entire adult life has been dedicated to taking advantage of others, using his computer expertise to violate others’ privacy, to embarrass others, to build his reputation on the backs of those less skilled than he,” wrote U.S. Attorney Paul Fishman, who went on to note the “atypical recalcitrance by the defendant to conform to the laws regarding unauthorized computer access.”
While that may be true, none of that, by itself, is illegal. And the actions that exposed a glaring hole put in place by bad programmers at AT&T shouldn’t be either.
Filed Under: andrew auernheimer, cfaa, hacking, jailtime, research, security, weev
Companies: at&t
Comments on “Expose A Blatant Security Hole In AT&T's Servers, Get 3.5 Years In Jail”
Embarrass a corporation or the Government and go to jail.
Expose stupidity, go to jail.
Expose duplicity, go to jail.
Expose the destruction of citizens freedoms, go to jail.
Destroy the economy, get handed lots of cash.
Re: Then again
By the same token…
Act like a jerk for many years
Build a reputation for being a real asshole
Piss off a lot of innocent people
Actively make enemies whenever possible
Openly defy anybody to do anything about it
…and first chance you give them an opening to take a shot at you, what else can realistically expect? Build up a big enough negative balance in your “payback account” and sooner or later somebody will call in the loan.
Re: Re: So what?
Last time I checked, acting like a jerk didn’t mean that you had to go to prison.
Re: Re: Re: So what?
“Last time I checked, acting like a jerk didn’t mean that you had to go to prison.”
If it was, my entire condominium board would be serving life sentences.
Re: Re: Re: So what?
Acting like a jerk isn’t a crime, but I do think that it speaks to his intentions and state of mind when he was playing around on AT&T’s servers.
And I am guessing the judge thought the same thing.
Re: Re: Re:2 So what?
And suddenly everyone is either psychic or a psychologist with 10 degrees of study on the human psyche.
Re: Re: Re:3 So what?
Re: Re: Then again
…and first chance you give them an opening to take a shot at you, what else can realistically expect?
Um, maybe to act like adults and use some sort of discretion and judgement? Trust me, I wish I could send every asshole I came across to jail, but that’s not how it works – for us normal folks, at least.
Re: Re: Re: Then again
And the argument can be made that he wasn’t being sent to jail for being an asshole (ok, yes, he was… but I’m advocating for the devil so gimme a chance) but for sharing a bunch of information that wasn’t his to share. The argument can be made that he could have gone about this a dozen different ways and chose the one that was the most “enjoyable” to him and not the most responsible. He could have shown discretion and judgement.
Of course, that sentence should be shared between him and the board of AT&T for allowing crap like that to happen and then playing innocent victim when it does.
I think the only real victims in all of this were the AT&T customers who had their private communication splashed around the internet.
Re: Re: Then again
That is no way to talk about AT&T.
Re: Re: Then again
Well Aaron Swartz was widely loved and look where it got him. I get your point but there’s more to it than that.
yet another case of the ‘whistle blower, the messenger’ being hit so as to try to save face of the company it exposed. you can thank the Obama administration for lying about protecting whistle blowers and the various law enforcement agencies for having to also ‘save face’ when prosecuting. everyone has jumped on board now, so the ‘customers’ are the ones that always suffer.
Re: Re:
Thanks Obama
Since this has obviously never happened anywhere else in the known universe, we can all share our total disgust with everything that the present administration has done and is going to do. Obviously the GOP is much better and this would not have happened if they were in control of everything.
…. /s jic
Re: Re: Re:
Now you just sound stupid…
Re: Re: Re:
No one held up the GOP as being champions of whistle-blower protection to get their candidate elected president though. I mean it’s one thing to be just as bad and quite another to promise making great strides to improve on a predecessor who was pretty bad and then somehow get even worse.
Re: Re: Re:
While I am not defending the position that the GOP would have done any better, but the fact is that the Obama administration has made protecting whistleblowers a ‘priority‘.
The administration SHOULD ABSOLUTELY be taken to task for failure to do what they said was a priority. Arguing that the GOP would not do any better is a pseudo strawman argument.
Re: Re: Re: Re:
“The administration SHOULD ABSOLUTELY be taken to task for failure to do what they said was a priority. Arguing that the GOP would not do any better is a pseudo strawman argument.”
Check out who did the actual OKs on the prosecution.
Odds are they’re Republicans or Republican appointees.
Re: Re: Re:2 Your Jung is showing.
It’s the Obama Justice Department. He’s the guy in charge. The buck stops with him.
Attempting to blame it on anyone is is just dishonest.
You’ve got an obvious cognitive dissonance brewing there. There’s a truth to this situation you’re not willing to face.
Re: Re:
“Anonymous Coward” is the perfect name for someone who visits tech boards to blame Obama for a courtroom decision (see: judicial branch, separation of powers).
The Guardian hacked me like this
A few years ago, a freelancer working for The Guardian newspaper in the UK hacked my site like this.
I’m not so stupid as to allocate sequential IDs, and we had alerts in place for suspicious activity, because a lot of people try to obtain information by modifying URLs. I think some of the major ESP hacks were done like this.
But it turned out there was a pattern to our IDs that could be guessed and if you made a few calls per hour per IP then you could very slowly syphon out data. I think the journalist made about 5 calls and then stopped, which was just under the threshold for alerting.
When this turned up in an online article that tried to embarass one of my clients (with no prior warning that I’m aware of, and I *would* have been told) we rapidly patched the issue by making the IDs much more sparse.
We didn’t dream of contacting the police, the Guardian didn’t contact us, and basically I was happy that the security hole was fixed.
BTW we also went through our logs and nobody else was trying the same attack. Some people trying high-volume attacks, of course, but they’d already been blocked automatically.
I suspect my experience is much more typical of what usually happens.
Re: The Guardian hacked me like this
Encryption is such a bad idea, no wonder it is not used.
Re: The Guardian hacked me like this
we rapidly patched the issue by making the IDs much more sparse.
We didn’t dream of contacting the police, the Guardian didn’t contact us, and basically I was happy that the security hole was fixed.
No it wasn’t. You just made it somewhat harder to guess the IDs. You’re still relying on security by obscurity, you just increased the obscurity.
Bad idea
Is this not incredibly dangerous and counterproductive?
Basically, a guy finds a flaw in a website, and reveals it (after being slightly nefarious to show that it’s an issue and get it publicity).
For bringing it to the attention of the public, he gets punished.
If he had kept it secret and just leaked the information without revealing himself, which he could have done, the security hole may not have been notified to AT&T.
Basically it means that amateur security people will no longer find these holes in large corporations, meaning people who want to exploit them for personal gain will have a much easier time of keeping them secret or finding them first.
Resulting in a LESS secure system, due to laws which are supposed to improve security.
If your law against hacking results in hacking being driven more underground and people NOT revealing security flaws they find, you’re doing it wrong.
Re: Bad idea
I am pretty sure someone here can find ready examples of when the “hackers” did all the right things (contacted the company, didn’t share the details, tried to warn security makers) and were still punished for even being smart enough or unlucky enough to find the problem. And the companies probably didn’t even take it seriously.
Too often we punish the people who are trying to help us because of ego.
Re: Re: Bad idea
You mean like the story somewhere on here where guy informs them of flaw and they then sent him the bill for fixing it, and IIRC that was after threatening to have him arrested.
Re: Re: Re: Bad idea
Yeah. But I’m too lazy to find and link it. It’s worse then them just having their head in the sand, they have to take everyone else’s head and stick it in there with them.
Re: Bad idea
If your law against hacking results in hacking being driven more underground and people NOT revealing security flaws they find, you’re doing it wrong.
Yep. Since companies generally don’t suffer any kind of punishment for security breaches, they don’t have much incentive to fix or prevent them – unless they become very public knowledge. Therefore, they would rather punish and silence security people so they don’t have to spend the money to fix their problems.
Et tu
“His entire adult life has been dedicated to taking advantage of others, using his computer expertise to violate others’ privacy, to embarrass others, to build his reputation on the backs of those less skilled than he,”
Funny how this quote could, with minor grammatical modifications, be applied to the “victim”, AT&T…
Re: Et tu
The whole paragraph, except the computer part, describes most CEOs’.
When you confront the state the statists fight back hard.
Reminds me of a book about the government being wrong and you being right and how dangerous that is.
Here is another case where jury nullification is required to be put in action.
Re: Re:
The problem is that now most courts circumvent jury nullification by asking a question along the lines of, “Are you willing to put aside your personal beliefs and opinions and make a decision based solely on the law and the judge’s instructions?”
Who gets screened out? The ignorant and the honest.
Re: Re: Re:
” The problem is that now most courts circumvent jury nullification by asking a question along the lines of, “Are you willing to put aside your personal beliefs and opinions and make a decision based solely on the law and the judge’s instructions?”
Yeah, I know. Whenever I was asked that question in selection I lied and said ‘yes’. People are the easiest system to ‘hack’.
Re: Re: Re:
Who gets screened out? The ignorant and the honest.
I kinda wish they would have a three strikes and you’re out program for jury selection nationwide. California has the one strike and your out, which the jury administrators hate but which works so well for me.
Being an Engineer/Scientist, and a Libertarian, the only way I ever get selected on a jury is when the lawyers aren’t paying attention (or are planning to plead guilty anyway.) Usually I am challenged, sometimes the first challenged in a jury pool. I always feel like the nerd on the playground…nobody wants me for their jury, but yet they keep calling me in (because I show up knowing that it is a privilege to do so.) In the 21 times I’ve been called in for jury duty, the three or four dozen cases, I’ve sat on two juries (both in which I played a limited role.) I don’t know why the courts hate engineers and libertarians so much, but it seems like they think those people have already made up their minds, unlike school teachers and philosophers.
It was nice when California chose the one day, one trial system. At least I don’t have to keep coming back to be rejected…
Re: Re: Re: Re:
I think the lawyers train for the typical jurors. They don’t know how to pitch to a juror who actually understands probability or can evaluate situations dispassionately. You’re a wild card.
So why don’t the lawyers who expect to lose want to throw in a wild card to improve their chances? I think it’s because they don’t understand probability and can’t evaluate situations dispassionately.
Re: Re: Re:2 Re:
I think the lawyers train for the typical jurors.
Yeah, but it is always fun when it backfires on them. I know a couple school teachers that can never sit on another jury because they were part of a “deadlocked” jury. If there is one thing that gets you removed quicker than an Engineer or libertarian, it is someone who sat on a jury that deadlocked.
So why don’t the lawyers who expect to lose want to throw in a wild card to improve their chances? I think it’s because they don’t understand probability and can’t evaluate situations dispassionately.
I guess that makes me feel better…
Moral of the story – submit your findings anon.
Re: Re:
Moral of the story – don’t submit your findings.
Instead, collect the names and email addresses of as many users as you can and sell them to a marketing firm.
Re: Re:
Moral of the story, stop looking for flaws and just assume all corporations have the public interests at heart and have done everything correctly.
Re: Re: Re:
Nice try corporate murica
That fellow should have just quietly contacted AT&T, given them a chance to quietly bribe him, and walked away with the cash. Isn’t that what all the others do?
Re: Re:
They usually call it a ‘job offer’ but yeah, pretty much.
Re: Re: Re:
they gave up on the whole job offer thing because these hackers come in and expect them to actually fix stuff. That costs money. Its easier to keep tossing them in jail until people stop looking for flaws.
Re: Re: Re:
They usually call it a ‘job offer’ but yeah, pretty much.
As someone who has exposed stuff in the past, be wary of the job offer or the bribe. If you aren’t a member of the establishment, taking a job offer or a bribe may be seen as extortion.
I had one company that wanted to pay me off to make me go away and stop bothering them. I had no problem “working with them” but my personal beliefs and the attitudes of my then current employer steered me away from taking any money from them. After working with them for a while, I got the impression from one of their engineers that the company was kinda hoping that I would have taken the money so that they could have had me prosecuted/fired from my job.
Re: No good deed goes unpunished
I’ve been in this situation. My solution was to forget about it. I didn’t want to get involved. As I say, no good deed goes unpunished.
Re: Wolfie
That’s not how it works. In most cases the large company won’t fix the exploit and they certainly won’t pay you. If he had done this he would have received a threatening letter from AT&T’s legal department and the exploit would still exist.
Meanwhile...
Two kids found a security flaw in one of those electronic billboards… and the company, DPC, gave them ipads and invited them to come talk about security.
…in Serbia.
What did the DPC have to say about the hacking?
and
When did things get so out of hand, here in America?
Re: Meanwhile...
“When did things get so out of hand, here in America?”
It’s the slanted opinion of a “hacker” and “cybersecurity”. A “hacker” must have done it. “Hackers” are evil. We don’t want “hackers” in our system. Throw the book at this “hacker” rather than fix any security issues. I mean it’s worked until now right? So only a “hacker” can cause problems.
with you stating, Mike, that there was nothing illegal in what the guy did, it hasn’t helped him one iota. the judge, like those in the Rasset case is interested in only two things, making sure someone goes to jail for having the audacity to expose a company failure and making sure that those bringing the charges are exonerated from blame.
where they need to be careful is that when someone finds something that could prevent a national disaster keeps quiet for fear of those that should have found the information being so pissed that they charge the finder and jail him rather than admit to their own failings, just to save face!
Re: Re:
Sorry, but I’m not seeing how this is anywhere the same as the Rasset case. She did the digital equivalent of shoplifting and making a couple copies for her friends, which, while wrong, should not be fined $222,000. weev did nothing illegal, and it’s a massive stretch to apply the CFAA to this case.
Re: Re: Uuuuhh...
First link on Google… how does this not apply????
Computer Fraud and Abuse Act – Wikipedia, the free encyclopedia
en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_ActShareThe Computer Fraud and Abuse Act of 1984 (CFAA) was intended to reduce cracking of computer systems and to address federal computer-related offenses.
thing is he did not just “expose” a flaw, you found it, exploited it, and then went public with it.
he did not get on the phone to AT&T’s security department and disclose it. But exploited it, got a bunch of information from that exploit and that is the main illegal thing he did. Try to down play that if you like, but facts are facts.
Re: Re:
Why should he, basically under every other countries laws on the planet he has NO DUTY whatsoever to explain to the that they have a security flaw before posting about it.
It might be a better thing to call them and explain the situation but there is no legal reason to do it.
That is unless you reside within America and have the audacity to point out the Emperor and his minions are wearing no clothes and shout it out in public.
As for the character assassination that the prosecutor brought to bear in court, I’m amazed that the US legal system allows character in ANY criminal trial because no where else does since it bears no relevance whatsoever to the instance of the alleged action(s) in the matter at hand. And no not even to mens rae.
Though I’m not surprised at the sentencing, it was about ‘cyber’ attacking one of the USA’s (all the way) darlings of industry who could in no way shape nor form be negligent ever in their upholding of security and their customer information. Well the rest of the world knows they are negligent, but consumer privacy laws only ever apply when it happens to a company it seems in the USA.
I’m amazed he didn’t get the chair
Re: Re:
Hmm…I think you haven’t hung around in the white hat hacking community much. This is a constant problem they run into with any major corporation–you can’t just “get on the phone to AT&T’s security department and disclose it”–the entire customer facing parts of their business are designed to not let you do this. And even if you did by some miracle get hold of someone with the authority to do something about it, or to forward the info to someone who does–what do you think the chances are that they will? The only way to get them to do anything about it is to expose it as publicly as possible, so it makes it into the mainstream news–then maybe something will get done to fix the problem–and the best way to do this is to actually use the exploit to prove it exists.
Re: Re:
Agreed, that the problem. Its the not the actions themselves its the way these “security researchers” handle it.
” harming AT&T’s reputation and promoting themselves as security experts.”
that is also a criminal act, to deliberately harm a company is called industrial espionage or sabotage, you don’t have to be connected to a competing company to be guilty of seeking to wilfully damage a company.
Re: Re:
Exposing AT&T’s security flaws (which has the side effect of hurting their reputation) is not a ‘criminal act’. The facts are that AT&T should have been more careful and vigilant with their security; especially with the ‘we take your privacy seriously’ letters they keep sending me.
Jailing someone for discovering a security hole and making it public will have obvious chilling effects. This is plainly an overreaching application of the CFAA.
Re: Re: Re:
Absolutely, it’s why there are now rumblings in the field that basically anyone who finds something untoward, and is American, should now tell their peers internationally and let them publish.
I for one will be happy to help out in this respect.
US companies are not going to be happy if that occurs, and neither will the US Government, Also less people will feel that there is any ethical obligation to telling the company first and instead just publish anonymously (or via proxy as above) and do more harm to the company. Which sometimes isn’t a bad thing
Re: Re: Re:
There is a difference between exposing and exploiting. Exposing a security flaw in my home means telling me it’s possible to gain entry through a dog door or unlocked second story window. Exploiting is gaining entry to my home and going into my file cabinet and copying my files.
Re: Re: Re: Re:
There is a difference between exposing and exploiting. Exposing a security flaw in my home means telling me it’s possible to gain entry through a dog door or unlocked second story window. Exploiting is gaining entry to my home and going into my file cabinet and copying my files.
Yes, but the problem is, unless you exploit the flaw, the company will just say it is a theoretical flaw that has no practical implications and thus is not worth their time and effort to fix. Been there, done that.
Not that this gentleman did the right thing, but in some cases, the only way to show that the flaw is real and is something they need to fix is to show them how easy it is to exploit and what the damages are.
Re: Re: Re:2 Re:
So what? If I ignore my neighbor’s warning and a burglar exploits the weakness whose fault is that?
Re: Re: Re:3 Re:
If I ignore my neighbor’s warning and a burglar exploits the weakness whose fault is that?
Your analogy can only hold so far, because while your home’s security flaws affect only you and your family, while AT&T’s affect millions of people.
Re: Re: Re:4 Re:
Your analogy can only hold so far, because while your home’s security flaws affect only you and your family, while AT&T’s affect millions of people.
Yeah, what he said.
Though I’d note that you have absolutely no requirement, contractually or legally, to not ignore your neighbors warning. If the alarm company or the police ignore the warning, than that is their problem. However, just like everything else including being a hero or saving someone’s life, if you don’t want to get involved there is nothing legally or contractually required for you to get involved. Most police departments don’t want you to get involved, unless it is to call them and let them know that the alarm is going off.
However, if you were to point out a weakness in the alarm system installed in everyone’s homes, I’d prefer to know it so I can make the necessary changes instead of being blissfully unaware of the problem and unable to fix it.
Re: Re: Re:5 Re:
Maybe the best option is to point out the problem and leave it at that. Entering and copying files was totally unnecessary and what landed this douche in prison.
Re: Re: Re:6 Re:
Maybe the best option is to point out the problem and leave it at that.
Normally, I’d agree with you.
But my statement remains, that in some cases pointing out the problem isn’t enough. People pointed out that the world trade center was vulnerable to airplane strikes before 9/11. People also pointed out that O-Rings were failing on the Shuttle Rocket Boosters before the Challenger incident, or pointing out that the foam used on the shuttle was tearing tiles off the shuttle before the Columbia incident. Unfortunately, in some cases, the only way to get someone to do something is when tragedy strikes. From personal experience, there were a number of times that the companies I exposed problems for ignored me until I pointed it out, along with exploit code (even after I responsibly disclosed the issue to them ahead of time.)
Entering and copying files was totally unnecessary and what landed this douche in prison.
And I totally agree, though the jury is still out as to whether this, or something else, landed this douche in prison.
Re: Re: Re:4 Re:
OK, Snatch. Let’s make it a college dorm or the Empire State Building. It is the same theory. Size does not confer the right to enter the premises of another and to copy files.
Re: Re: Re:5 Re:
not an insult, auto-correct malfunction
Re: Re: Re:6 Re:
not an insult, auto-correct malfunction
Thanks, I appreciate the clarification.
Let’s make it a college dorm or the Empire State Building. It is the same theory. Size does not confer the right to enter the premises of another and to copy files.
Well, then the analogy starts failing because he didn’t actually break in, he just found some web pages that someone was hoping nobody would find. But even if he had circumvented their security measures to get that information, it still wouldn’t be a perfect analogy (there is no such thing), just in case you want to go there. 🙂 Any time someone says “this wouldn’t be OK if it was a physical thing so it’s not OK on a computer either” there is a good chance that’s a flawed argument, because physical and digital are different.
Re: Re: Re: Re:
And many security companies do exactly that–break in and steal stuff (exploiting). You can tell some people and corporations that their security is crap (and explain why it is), but until you show them how crappy it is by breaking in and stealing stuff (exploiting), many won’t do a thing to fix it–the head in the sand approach to security (most famously demonstrated by Sony with their crappy PSN security that they had been told about by the security people in their own company and did nothing to fix until they got hacked).
Re: Re:
Please cite criminal statutes that show this…. oh you can’t.. That’s because there are none, the only thing that might come close is Tortuous Interference and that is tort law…ie: NOT criminal
As for Industrial espionage and/or sabotage, you really need to read more to understand how totally ignorant and stupid you appear.
Oh and in the USA ‘security experts’ are everywhere, there are no standardised qualifications and professionally and personally I would state he has more ability to call himself a security person than most of the so called network/database admins at AT&T do.
Re: Re:
So every time I write a scathing review of a terrible product, I’m committing a crime? I don’t buy that. Customers have a right to attack the image of a company that has wronged them, and if the allegations are truthful then they can’t be held as libel.
Re: Re:
Are you being serious? Have you ever said anything mean about a company? Something like “apple is so horrible they do -this-” or “windows sucks it only does -this”. Every day we say and do things that hurt companies and other people. I do believe that the first amendment gives us the right to say what we want and when we want. This idea that we shouldn’t say something as to not hurt a companies “image and reputation” is crap.
Re: Re: Re:
Right, but what about gathering credit card numbers and email addresses for all of that company’s customers, then spreading that out for all to see?
THAT is what this guy is being punished for, not just for finding the security hole.
I hate that every article about this guy makes it out like he was an innocent “security researcher,” when he was anything but. He was looking to do damage, and that’s what he did.
Re: Re: Re: Re:
Right, but what about gathering credit card numbers and email addresses for all of that company’s customers, then spreading that out for all to see?
“The specific information exposed in the breach included subscribers’ email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T’s network, known as the ICC-ID. ICC-ID stands for integrated circuit card identifier and is used to identify the SIM cards that associate a mobile device with a particular subscriber.”
Much more tame than spreading credit card numbers. Not that I agree with his technique, but three and a half years for publicizing some email addresses seems awfully severe.
“atypical recalcitrance by the defendant to conform to the laws regarding unauthorized computer access”
Translation: Normally our intimidation proves effective before reaching this point and the individual being pilloried has long since given up all signs of struggling against the fate we determined for them.
Okay then, I’ll keep all my zero days to myself.
I watched the 60 Minutes interview with the founder of Twitter, Jack Dorsey. He found a security hole in the NYC train system software. He emailed security with a description of the problem and how to fix it. He also mentioned he wrote scheduling software. Two weeks later he had a job.
That’s how you do it. You don’t enter through an unlocked door, take whatever you want and crow to the media in an attempt to aggrandize yourself or embarrass a company. That is exploitation; pure and simple. You do not have the right to enter a poorly secured computer network, any more than you have the right to enter my house through my oversized dog door. And once you enter my house, you have no right to go into my file cabinet and start copying my files.
The fact that this guy is also an asshole is on him. Judges are free to sentence within the guidelines. Sounds like the court got this one right.
Re: Dead on
You pretty much hit the nail on the head. Seems like so many people out there think what he did was correct. What a skewed sense of entitlement people have nowadays. Rather sad…
Re: Re:
The house analogy is stupid.
A better analogy is a garage sale where one table is marked “free”. If the seller accidently puts items on that table and someone takes them, whose fault is it? Did that person “steal” or “trespass”? Of course not.
Re: Re:
Your argument contains a major flaw. How do you think he found that security hole in the NYC train system software and was able to describe how to fix it? You would have to intentionally breach their system and search for information like that. Apparently, all this person used to access information was their own ID’s. This is AT&T’s fault, and anyone could have been exploiting this. Andrew just happened to be the one that made the problem known. Let me ask you something. If I open the door to a public restroom and there is a naked women there, am I going to be arrested for peeping? No, the door was unlocked and therefore the fault is on her. Nothing but a PR stunt to protect their image.
Re: Re: Re:
Perhaps, but the point I’m making is there’s a difference between discovering a security flaw and reporting it to those responsible for security and taking files and other information and distributing it, then going to the press.
Re: Anonymous Coward, Mar 19th, 2013 @ 5:43am
Nice try, idiot!
One major problem
He was a dumbass for going to the public first. That is his own fault. Bravo for finding the flaw, but dumbass followup method.
Sounds familiar
Her entire adult life has been dedicated to taking advantage of others, using her legal expertise to violate others’ privacy, to embarrass others, to build her reputation on the backs of those less skilled than her.
vs
His entire adult life has been dedicated to taking advantage of others, using his computer expertise to violate others’ privacy, to embarrass others, to build his reputation on the backs of those less skilled than he
If you are a jerk with legal expertise you get to be a US Attorney, if you are a jerk with computer expertise, the other jerks will take you down.
The chat logs show other intent
If it was innocent exploration, I could see this being a poor application of justice. Unfortunately for weev, the chat logs contained in Wired’s writeup indicate it wasn’t for security purposes, it was for ‘lols’ and then it was discussed that disclosure of this information could/would manipulate the stock price of AT&T.
Moral: don’t go screwing around with websites, especially when they a) have something to do with America’s favorite white plastic vendor and b) your results include government officials. Another good practice would be to ensure that one doesn’t be a douche to everyone they come across. People love watching douches get their comeuppance. I remind you all of Prenda.
weev is no Aaron Swartz.
Re: The chat logs show other intent
If it was innocent exploration, I could see this being a poor application of justice. Unfortunately for weev, the chat logs contained in Wired’s writeup indicate it wasn’t for security purposes, it was for ‘lols’ and then it was discussed that disclosure of this information could/would manipulate the stock price of AT&T.
Moral: don’t go screwing around with websites, especially when they a) have something to do with America’s favorite white plastic vendor and b) your results include government officials. Another good practice would be to ensure that one doesn’t be a douche to everyone they come across. People love watching douches get their comeuppance. I remind you all of Prenda.
weev is no Aaron Swartz.
But that won’t stop Masnick from depicting the guy as an honorable, noble victim of a cruel, vindictive criminal justice system.
Re: Re: The chat logs show other intent
Not sure if serious.
But Mike seems more concerned with the chilling effects related to jailing someone for finding a security flaw, rather than defending Weev.
Re: Re: Re: The chat logs show other intent
Weev isn’t a security researcher, he’s an attention seeker. A security researcher typically notifies the vendor and gives them time to fix the flaw. After the fix has been released and confirmed, full disclosure is acceptable. If the vendor fails to respond in an appropriate manner or timeframe, notifying the public is then a justifiable recourse. This isn’t universally accepted, by any means, but this process makes sense to me if improving security is the goal and not a byproduct. I’ve seen this work in many cases, and those researchers who follow the “responsible disclosure” method are still researching and not paying lawyers to file appeals.
Specifically, this case wasn’t about finding the flaw. It was what he did after discovering the problem and what he did with the information afterwards. Finding the flaw and sending security(at)att.com and/or webmaster(at)att.com an email would not have landed him in court. Finding the flaw and going straight to Gawker with the entire scraped data-set did.
Once the flaw was found, one or two records would have been sufficient for a Proof of Concept to be handed to the appropriate parties. Taking every single entry is indefensible and not needed to get the issue resolved.
Re: Re: Re:2 The RICO principle.
Re: Re: Re:3 The RICO principle.
The technical difficulty of the intrusion isn’t material. The actions of the convicted are. There was clearly malice involved in this act.
As I said, there are plenty of security professionals and amateurs finding and reporting flaws every day. Very few – if any, and definitely none that I’m aware of, are prosecuted if they behave as described in my previous post.
Re: Re: Re:4 The RICO principle.
The technical difficulty of the intrusion isn’t material. The actions of the convicted are.
I see what you’re saying, but in this case in a very real way he was doing nothing but disclosing publicly available information. He didn’t have to bypass any security measures at all to get this data. If he got to the pages he found by following a link on AT&T’s web site, anybody would agree that would be purely on AT&T’s shoulders. Why is it a felony when he does it by typing in the URL instead?
There was clearly malice involved in this act.
Even if true, just because something was malicious doesn’t make it illegal. At least I hope the CFAA isn’t written THAT badly.
Re: Re: Re:5 The RICO principle.
It wasn’t a published URL, they knew they were obtaining subscriber data that wasn’t theirs, they had no misunderstanding that what they were doing was wrong, and the point wasn’t to help AT&T secure their site. That is unauthorized access regardless of how stupidly simple it was to get there.
Re: Re: Re:6 The RICO principle.
That is unauthorized access regardless of how stupidly simple it was to get there.
Obviously the court agreed with you. To me, the fact that the information was on a publicly available web page with no security measures protecting it means you could at least make an argument that access was implicitly authorized. Kind of like looking into someone’s back yard from the sidewalk when they haven’t put up a fence. They haven’t invited you to look, but they haven’t done anything to indicate they don’t want you to, either. AT&T didn’t take any steps to ensure the public didn’t look at this data, they just didn’t take any pains to make sure it was obviously available. It’s just a little scary to me to put someone in jail for 41 months for this. If anyone should be in trouble, it’s AT&T, in my opinion.
Enormously stupid
This is beyond stupid and scary. If anything, a class action case can be argued against AT&T for not taking even basic measures to ensure the security of their clients, which would violate whatever privacy policy they have in place.
It would actually be interesting to read the privacy policy and see what “reasonable security measures” AT&T agrees to and is liable for. I am almost certain passing a password in the URL would amount to gross neglect on account of the service provider, and personal identification should be treated no differently.
A long time ago, on an IRC channel, a Yahoo server was hacked, and the details were shared amongst all people on the channel. Some of them immediately dug into the MySQL records, some went after log files… I looked up /etc/passwd, got a phone number from there and dialed it. It was a Sunday afternoon, and I got some Yahoo employee. I shared all the details of the hack, my information in case he wants to talk, and hung up. The system was taken offline, restored, and I got an email from the guy saying “Thank you”.
What the hell has happened between now and then?
p.s: I am not a jerk… but that certainly can’t have any bearing on what transpired, right?
Poor weev. Well, good thing weev collected information on a bunch of famous folks who had iPads. Now he can just sell all that info, make a couple million and pay off that fine in right away. At least now he has a retirement option.
You know when I was a kid I thought the law was supposed to uphold the morals of society. Protect the good. Punish the evil. As an adult it never ceases to be disheartening to see how often it serves to punish the intelligent or good natured on behalf of those who are simply powerful and don’t want their status quo interfered with.
If I ever have kids, I may have a tough time teaching them to respect the law for any purpose other than self-preservation. It’s a shame.
Re: Re:
Do you honestly think that applies here? This guy was looking to harm AT&T, not trying to be a white hat.
In the larger sense, yes – I agree. Whistle blowers often get the shaft, and the legal system does often protect the rich far more than the innocent.
Remember, it's a JURY trial
This is one example where a jury of one’s PEERS could be done better.
I’ve been on a few jury panels (never actually been a juror), and it seems that the people picked are the ones who know little about a case. Anyone with computer knowledge will be excused by the prosecutor. Anyone with law enforcement ties is excused by the defense.
The goal seems to be to get a group of 12 people who know absolutely nothing about the subject matter of the case.
It’s not really a wonder that people are convicted of CF&A violations when they’re often just exploring potential bugs out of a sense of curiosity or even being security-minded.
Oh please....
He got popped because he did the WRONG thing, than the fact that he ‘exposed a security risk’. The writer states; “To call attention to this, weev collected information on a bunch of famous folks who had iPads and alerted the press. This is what security folks do all the time.” and is incorrect. What REAL security people do is notify the company that they’ve located a hole and offer to either give them the info about it, or offer to sell them the info about it. They don’t gather info and “alert the press”.
It’s sad that they’re throwing him under the bus just because he’s a dick… “which is perfectly legal”
I know of a few small security holes for some file lockers and one very evil one which I’d never even report just because of fear.
I also know of a small one on Hulu having to do with their AD services which I told them and nobody else but needless to say it’s 3 years later and it’s still not fixed.
I would not even consider myself a hacker I’m just a curious mother fucker and sometimes I see something that just looks like it could be abused. I don’t look to embarrass a company though, shit these days I would not even tell them when the thanks could possibly be prison.
Do you have an editor? Have you studied any sort of writing at all? You have no idea when and when not to use commas – your writing style is horrible.
Re: Re:
what does that have to do with the price of spooge up your ass?
Violating Others Privacy IS A CRIME
While the “taking advantage of unskilled others” is vague, repeatedly violating someone’s privacy is in fact illegal in many instances. I don’t think this guy should be in jail for this, but maybe he had it coming.
Come on people
I think the sentence is a bit over bearing. But he is a jerk. If you find a security hole you don’t go rooting around and collecting information on famous folks then leak it to the press! You don’t leak it to the press, if you’re a real security expert you contact the company and allow them time to fix it. If they don’t or show they aren’t trying then sure, leak away. That is the problem with most of these cases, its the not the actions that are getting punished is the way these “grey/black” hat hackers handle it. They do it in the worst way possible.
“His entire adult life has been dedicated to taking advantage of others, using his computer expertise to violate others’ privacy, to embarrass others, to build his reputation on the backs of those less skilled than he,”
Or as I like to call it, standard operating procedure.
Expose A Blatant Security Hole
Now wait a minute. From reading the title of this post one would think he called and informed AT&T about a security hole he discovered and then was arrested for it. But in reality he went beyond just the discovery, he intruded on peoples private data and then shared it with others. I am sure THAT is why he was put in jail. If you discover something like a security breach in a bank for instance (real world bank, not internet) in which you have the ability to walk up to the back from the outside and move a loose brick on the building allowing you access to customers personal data, and then you take that data and disperse it to other people, would that be ok? Wouldn’t you just go into the bank and say”hey, there is a loose brick on your outside wall”……think about it.
Unfucking believable
While their busy imprisoning those who find security flaws, and inform the people with that security flaw, for the purpose of them patching it, so any people/customers involved are that little bit secure………..the others looking for security flaws, to benfit through less then moral reasons, can keep using the same flaw, for god know how long, because the person who may have dicovered it, is in prison.
Anyone involved in pushing this through putting this guy away, should be held accountable for any future hacks………oh im sorry, did you just say “but they’ve got nothing to do with it”
A) one, they are, if their actions prevented a patch
B) THIS guy, is’nt commiting a serious crime, more of a public service
Re: Re:
This article didn’t bother pointing out that he gathered email addresses and (if I understand correctly) credit card numbers of all of the AT&T iPad customers.
Then distributed that list.
This was NOT an innocent security researcher.
Re: Re: Re:
Funny, I’d have thought that someone who “does journalism” would have felt a moral obligation to disclose serious criminal conduct when decrying a 41 month sentence by claiming all “he did was expose a pretty blatant security hole in AT&T’s servers”. Perhaps Masnick felt these facts might undermine his claim that the law was unduly harsh and crime was minor.
Quick, get him on the ticket
“His entire adult life has been dedicated to taking advantage of others, using his ‘______ _____’ to violate other’s privacy, to embarrass others, to build his reputation on the backs of those less skilled than he,”
Sounds like every politician on earth!
makes you wonder
If he had used the informtion for fraud, would he have got a smaller sentence?
insanity
the insanity of this story and so many of the responses to it on this site is a demonstration of one reason the prosecutors and judge took this case so far.
1) so few of the commentators care at all about the actual facts of the case–they have already decided (wrongly) that there was no evidence of weev’s own malicious commercial self-interest. But there was substantial evidence presented at trial that he was not trying to “expose a security hole.” So any story that bends the facts this way is starting from a wrong premise. The government convincingly (to the judge and jury) showed that he was trying to profit from his access to this information;
2) the very premise of the story–that what weev did was “expose a blatant security hole”–makes no sense on the surface. 10 or 100 email addresses would have sufficed to make that point and would have been very unlikely to produce this prosecution. 120,000 email addresses is prima facie evidence that he intended to do something far beyond “exposing a security hole”;
3) from reading biographical stories about weev, it seems entirely likely that he had done this sort of thing before to his own significant profit–he had a lot of money of unclear origin;
4) to the commentator who compared this to looking into your neighbor’s unfenced yard–that is both a frightening misunderstanding of privacy, and wrong, in that if I write down your account number on a piece of mail that I can see from the street, and then give that information to somebody else or have the intent–even the INTENT–to use it to my own profit, the fact that it was “visible” is irrelevant. It is stealing something to which I have no right–and it’s stealing EVEN THOUGH I may have left the original document where it was.
Anyone who thinks weev is a freedom fighter is reading the wrong dictionary and the wrong law code, and that so many people do (on SUCH flimsy evidence and poor reading of the actual news stories) SHOULD concern law enforcement–and those of you who portray him as a freedom fighter are ensuring that crackdown is even harsher. This sight is amazingly blinkered, but this story is exceptional even by those standards. I know it’s cool to love the outlaw, whatevs, but if you love the outlaw because they break the law, you don’t then get to ask for the system to go easy on them too.
Re: insanity
to the commentator who compared this to looking into your neighbor’s unfenced yard–that is both a frightening misunderstanding of privacy, and wrong, in that if I write down your account number on a piece of mail that I can see from the street, and then give that information to somebody else or have the intent–even the INTENT–to use it to my own profit, the fact that it was “visible” is irrelevant. It is stealing something to which I have no right–and it’s stealing EVEN THOUGH I may have left the original document where it was.
What law exactly would that violate? And who do you think the victim should be angry with, the perpetrator, or the company that puts sensitive information on the outside of his mail, or the post office for leaving his mail out where anyone can see it, or all of them? I’m not claiming weev is innocent of wrongdoing, I’m questioning whether a 41 month prison sentence is appropriate. If he had done the exact same thing with information he found in a trash can, would he have gotten the same sentence? Or is this different because it was “on the internet”?