The DOJ's Insane Argument Against Weev: He's A Felon Because He Broke The Rules We Made Up
from the bad-news-all-around dept
We’ve covered the lawsuit against Andrew “weev” Auernheimer, in which the feds pushed criminal charges against him under the Computer Fraud and Abuse Act (CFAA) for discovering a massive (and ridiculous) security hole in the way AT&T set up the iPad. Basically, they saw that AT&T handed out iPad IDs in numerical order, and then left the website open, allowing him (and a partner) to just increment by number and get back email addresses on everyone who owned an iPad. The feds seemed to argue that this was some nefarious evil hack, and Auernheimer was sentenced to 41 months in prison and has to pay $73,000 to AT&T (roughly the cost it took AT&T to inform its customers of its own bone-headed lack of security). So much about this case is ridiculous, and it’s complicated by the fact that nearly everyone agrees that weev is a world-class jerk. But, you need to separate that out from the details of what he did here, to note that it was nothing particularly special, and it involved the sort of thing that security researcers do all the time, and which all sorts of non-security researchers do quite often.
Auernheimer is appealing, and the DOJ filed its brief a week and a half ago. It took me until this weekend to finally have the time to dig into the full 133 pages, to realize just how ridiculous the whole thing is. Tim Lee, over at The Switch has a great explanation of what’s going on here aimed at less technologically savvy folks. Meanwhile, Robert Graham has an equally fantastic writeup for the slightly more technically savvy world over at Errata Security.
We’ll dig into some of the details in a bit, but as Graham points out, the feds somewhat obnoxiously nearly doubled the word limit imposed by the Third Circuit (the brief is 26,495, but the court only allows 14,000 as an upper limit). This is ridiculously unfair, because it lets the DOJ go on, at length, making claims that are almost wholly untrue, and at times ridiculous, while weev’s lawyers were hamstrung in limiting what they could put in their own brief. Welcome to the criminal justice system where the DOJ still seems to think it gets to play by its own rules.
And, really, that’s the most ridiculous part of all of this, because while the DOJ wants to play by its own rules, nearly its entire argument against Auernheimer is that he “didn’t play by the rules” where “the rules” it’s talking about aren’t actual rules at all, but rather what the DOJ makes up in the minds of some clearly technologically-illiterate lawyers.
The short version is that the government’s case is quite scary in the way it portrays weev’s actions — such that it could easily criminalize all sorts of things. For example, it goes on about changing the user-agent, as if this is some awful thing and a form of “lying.”
Spitler changed the user agent in his Account Slurper program in order to trick the servers into thinking that he was using an iPad…. He “lied to the AT&T servers” in order to get the information…. Spitler gathered this information without asking for permission from AT&T or from any of the iPad users that he was impersonating…. AT&T did not design its system to allow these email addresses to be made public.
There are so many problems with this. First, there are no hard and fast rules about user-agents that suggest this sort of thing is breaking the law. As both Graham and Lee point out, if “faking” the user-agent is a form of “lying,” nearly every browser does that and has for years. That’s because years ago, Microsoft added “Mozilla” to its user-agent since many websites optimized for different browsers, and Microsoft wanted servers to believe it was competitor Netscape, which many sites had designed to be nicer. So pretty much all browsers “lie.” Hell, for many years I’ve personally used “user agent switcher,” a plugin for browsers, to change my browser user agent at times, mostly for simple testing on certain websites, and sometimes for reporting purposes (to see how different sites provide different info to different browsers). I never thought I was “lying” or coming close to committing a crime. It’s just a bit of info a browser, or other piece of software, sends to a server to get information returned.
Similarly, the idea that AT&T “did not design its system to allow these email addresses to be made public” is simply, empirically, false. If they hadn’t designed it that way, then weev and his partner wouldn’t have been able to access it the way they did. The problem was clearly AT&T totally failed to lock down this system. Furthermore, they didn’t need to “ask permission” because they sent a request to the server and the server answered. If they didn’t have permission, the server would have rejected the request. It didn’t. The problem was very clearly AT&T’s. To charge weev with criminal charges for this is really insane.
Changing the user agent isn’t breaking any “rules” — except in the mind of the DOJ.
The DOJ really stretches to try to paint the actions by Auernheimer’s partner as some masterful “hack” when the details suggest otherwise. The brief goes on at length about all the “steps” that Daniel Spitler had to go through to get access to the information, but most of the “steps” are ridiculously padded, because they have nothing to do with the “hack” itself, but were merely about Spitler trying to setup his computer to act like an iPad. That might sound odd and involved to the clueless lawyers at the DOJ, but this sort of thing is done all the freaking time by security researchers. That’s how they can more easily test stuff out, by getting their computers to act like other machines. In theory, I guess, Spitler could have done the whole thing via an iPad, but what’s the point? The whole idea was, in part, looking for security vulnerabilities. The fact that it took Spitler a bit of time and effort to get his computer to emulate an iPad has nothing to do with the scanning itself, but the DOJ uses it as if it shows how “difficult” AT&T made it to find these emails. That’s wrong. AT&T made it quite easy to find the emails. The fact that Spitler had some trouble getting a computer to emulate an iPad is a totally separate issue.
From there, the DOJ starts playing dirty, pretending that because judicial law clerks can’t find the same kind of security hole, it somehow means that Spitler and Auernheimer were up to no good:
If an ordinary, but reasonably sophisticated computer user, like a typical judicial law clerk, had been assigned the task of compiling a list of e-mail addresses of iPad users available on AT&T’s servers, he almost certainly would not have been able to duplicate what Spitler did. The law clerk would likely go to AT&T’s website and search in vain for any links or other means to access this information. No hyperlinks or search engine requests would have produced the desired results.
This is really obnoxious. The US Attorneys working on this case know that a judicial law clerk is going to make the key call on this case, and this is a way to flatter those law clerks, claiming that they’re “sophisticated computer users.” But a “sophisticated computer user” is quite different from a security researcher or a higher level technically proficient user. The fact that they couldn’t find this info via a search engine is meaningless. No one is arguing that the info was available via search — but rather that it was incredibly wide open because of a security hole, and yes, you’d need some level of technical proficiency to figure it out, but as far as I know there’s no law making it illegal to be more technically proficient than a law clerk.
Later, the DOJ argues that using the ICC-ID number, which AT&T assigned incrementally is the equivalent of using a password. They’re apparently not joking:
The argument that the ICC-ID “is not a password,” begs the question of what counts as a “password.” Wikipedia defines a “password” as “a secret word or string of characters used for user authentication to prove identity or access approval to gain access to a resource (example: an access code is a type of password), which should be kept secret from those not allowed access.”… MK makes the facile argument that an ICC-ID is not a password because it is frequently printed on the outside of phone packaging, and thus is not secret. But that cannot be correct. Combinations to locks are often printed on the packaging, but the combination nevertheless is the secret “password” that opens the lock. Openness to the public prior to purchase is irrelevant, because after purchase the combination becomes the owner’s secret. So too with an ICC-ID. Once a phone or other device using an ICC-ID is purchased, no one can easily learn the ICC-ID unless he or she actually possesses it.
Try not to guffaw. Yes, even though the ICC-ID is just an incremental number, permanently stuck to a device, and is permanently printed on the device, the DOJ is insisting that it’s still just like a password. The fact that combinations are printed on packaging is meaningless, because it’s not meant to be left on the lock. Furthermore, this totally ignores the fact that the ICC-IDs were incremental. If AT&T had intended them to be secret, rule number one would have been to use a system that you couldn’t guess others accounts merely by adding one. And it gets worse:
An ICC-ID, unlike a password, is a unique identifier. In that regard, when it is used to gain access to a server, it can be even more secure than a password chosen by a user, which frequently can be guessed. Certainly a 19 or 20 digit ICC-ID is harder to guess using brute force than a typical four-digit ATM access code, misuse of which would certainly constitute a CFAA violation.
Except, uh, that’s not how an ATM card password works (and, yes, ATM cards are not particularly secure). You don’t put your ATM card into a machine and it automatically reads the code off the card and lets you into your account. That is, the PIN code is designed to be separate from the card, with the idea being that to get into your account you need both something physical and something in your head. The ICC-ID isn’t like that. It was designed to let the user automatically access their account without a password. There wasn’t that second “thing in your head” that makes a password a password.
From there, the DOJ tries to attack the fact that the “hack” was merely adjusting the URL incrementally to access each account. It does this by arguing that because SQL injection attacks can happen via a URL, therefore any “hack” via a URL can be a malicious hack.
For example, Albert Gonzalez was the mastermind of a credit card theft ring responsible for reselling more than 170 million credit card and ATM numbers from 2005 through 2007, the largest such fraud in history…. Gonzalez’s ring used what is known as an SQL injection attack, which can be performed by entering an “address” in a URL or entering data in publicly facing web forms. In many common SQL injection attacks, the challenge for the hackers is to determine the correct characters to send to the network’s database storing the data the attacker intends to exfiltrate. However, once the vulnerability is determined and the appropriate combination of characters is discovered, many SQL injection attacks can be reduced to a URL because malicious code entered into a form field in a website is often delivered to the victim’s network from the attacker’s computer in the form of a URL that includes within it the malicious string.
But, an SQL injection attack is very very different than merely incrementing a number in a URL. Yet, the DOJ wants to equate the two. That’s crazy. It goes on to try to link the two things much more closely:
And the result of these attacks, like the result in SQL injections, is that the browser returns unauthorized data from a database. An SQL injection attack is among the most dangerous and notorious hacks used today…
Sure, an SQL injection attack can be “dangerous and notorious,” but that’s because it’s entirely different than incrementing a number. An SQL injection to gain much more power over an entire server is not the same as just flipping through pages that are easily available. The attempt to link the two is crazy, but certainly could be used to mislead a less technically savvy “law clerk,” for example.
Later, the DOJ further argues Auernheimer and Spitler were guilty of bad things because they didn’t contact AT&T, but rather purposely chose to go to the press (specifically, Gawker) to publicize the discovery of the security vulnerability. While it’s true that it’s common to alert a company ahead of time, the fact that they didn’t do this is kind of meaningless here. If they were really up to no good, they wouldn’t have publicized the vulnerability at all. Yes, they sought to “benefit” from it: they wanted to use it to get attention for their security work at Goatse Security. But using the discovery of a security vulnerability to help get attention for their own security research operation doesn’t seem like evidence of nefarious intent. In fact, it seems like exactly the opposite. Then there’s this craziness:
The groups of security researchers and computer professionals who have filed amicus briefs in this case need not be troubled by this prosecution of this black hat hacker. Major technology companies today – Microsoft, Google, Facebook, PayPal, and Mozilla, to name a few – all pay bounties to white hat hackers who find flaws in their systems and thereby help keep them secure. The Government is not aware of any instance in which a security researcher who followed the rules of ethical hacking was prosecuted for violating the CFAA. Often, when a white hat hacker discovers and reports a security flaw, he is rewarded financially for his work by the company that he has hacked. But no one, not even a white hat hacker, gets to make his own rules.
Except, as Graham notes, the list above is the entire list of tech companies who pay bounties to white hat hackers. Most tech companies don’t do that, including… AT&T. Furthermore, Graham highlights this wacky line: “The Government is not aware of any instance in which a security researcher who followed the rules of ethical hacking was prosecuted for violating the CFAA.” Yes, they’re back to their made up “rules.” As Graham points out in response:
This is circular logic, saying that people who follow the rules don’t break the rules. When the prosecutors make the arbitrary decision that you’ve violated the CFAA, they’ll likewise decide that you don’t follow the rules of ethical hacking. Such circular logic is the basis for the prosecutor’s entire argument: Weev is a bad guy because he’s a bad guy.
When that’s the way the law is read, you no longer have the rule of law. And that’s why the case against Auernheimer is so ridiculous. It only works if the feds get to make up the rules as they go along, and argue that something is wrong, because they say it’s wrong.
Filed Under: andrew auernheimer, authorized access, cfaa, daniel spitler, doj, hacking, security research, user agent, weev
Companies: at&t
Comments on “The DOJ's Insane Argument Against Weev: He's A Felon Because He Broke The Rules We Made Up”
Testing grounds maybe? Next we might see this being applied to any dissent, no? I wouldn’t be surprised.
How is any of this surprising coming from an government that will go out of its’ way to warp interpretations of the laws of other nations to prosecute it’s own citizens.
Word limit and "rules"
I don’t suppose the DOJ lawyers can be sanctioned for filing an over length brief? Also I think an appropriate remedy would be to truncate their brief at the 14,000 word limit and fine the lawyers $0.10 per word over the limit. By my count that would leave the lawyers on the hook for $1,249.50 and their brief might make even less sense than it does currently.
Re: Word limit and "rules"
I’d make it $1m per word to be paid to weev and Co. directly.
Re: Word limit and "rules"
Also I think an appropriate remedy would be to truncate their brief at the 14,000 word limit and fine the lawyers $0.10 per word over the limit
So you think an appropriate remedy would be to charge the taxpayers?
Re: Re: Word limit and "rules"
Nope, charge the lawyers personally. Let them pay it out of their own pockets instead of department funds. This is still indirectly charging the taxpayers but only second or third hand.
Re: Re: Re: Word limit and "rules"
Expert Hackers is a professional hacking team based in India. We have testimonies from our numerous clients around the world. We are the best hackers alive. We specialize in hacking the following: * Hack and UPGRADE UNIVERSITY GRADES * Hack into any BANK WEBSITE * Hack into any COMPANY WEBSITE * Hack into any GOVERNMENT AGENCY WEBSITE * Hack into SECURITY AGENCY WEBSITE and ERASE CRIMINAL RECORDS * Hack into any DATA BASE * Hack PAYPAL ACCOUNT * Hack WORD-PRESS Blogs * SERVER CRASHED hack * Untraceable IP etc * We can restore LOST FILES AND DOCUMENTS , no matter how long they have been missing NOTE We can also teach you how to do the following with our e-book and online tutorials * Hack and use Credit Card to shop online * Monitor any phone and email address * Hack Android & i-Phones * Tap into anybody’s call and monitor their conversation * Email and Text message interception contact us at professional.hacker55@yahoo.co.uk
Re: Word limit and "rules"
“I don’t suppose the DOJ lawyers can be sanctioned for filing an over length brief?”
At the very least you’d think a fair judge would simply reject the brief outright and firmly instruct them to resubmit a complying brief with minimal delay.
Too much to hope for?
The name of the company was Goatse Security?
Clearly the main reason the DOJ is prosecuting weev so vigorously is because they were tricked into Googling “goatse”.
Wikipedia defines a ?password?
Did a court document really just cite wikipedia for a definition?
Re: Re:
For once they are using a current definition of a word as understood by most people, not a definition made up by government agencies to further their own ends.
Re: Re: Re:
Who’s to say they didn’t edit the entry just to snapshot it for use in the brief? Either way, the filing completely misunderstands the context of a password. Passwords are not supposed to be an incremented number. An incremented number is nothing more than an ID number, hence being the ICC-ID.
Basically, they saw that AT&T handed out iPad IDs in numerical order, and then left the website open, allowing him (and a partner) to just increment by number and get back email addresses on everyone who owned an iPad. The feds seemed to argue that this was some nefarious evil hack…
I guess that makes me a “nefarious evil hack” too. I use this same technique right here on Techdirt when I want to see the first comments a user has ever made, instead of paging thru them all.
For example:
I change the “start=20” to “start=2780” part of this address to see my first comments:
https://www.techdirt.com/comments.php?start=2780&u=gwiz
Re: Re:
Wow. Now only are you a nefarious evil hack, but you are clearly one with WAY too much time on your hands.
Nothing good can come of that. You should be locked up immediately.
Logic Fail
And the result of these attacks, like the result in SQL injections, is that the browser returns unauthorized data from a database. An SQL injection attack is among the most dangerous and notorious hacks used today…
Let’s get this straight. Because A and B result in the same thing and B is bad, A must be bad.
Hmmm…
If I put my ATM card into the machine and enter my PIN, money comes out. If I smash the ATM machine with a hammer, money comes out. ATM use = felony.
I’m pretty sure I can make anything bad with this logic.
Quote:
The DOJ’s and mine definition of sophisticated computer users are distant cousins on this one.
Any sophisticated computer user would know to look at the URL to notice patterns, that is basic stuff.
I do it here on Techdirt, since I have scripts disabled I have to look at the source page to read hidden comments and to answer to those I copy “cid=” after I click in any other “reply to this”, one day my lazy ass will get to write a proper script to replace all instances of hidden comments with a proper link that I don’t need to look up at the source, but this is simple, even download managers take advantage of that and allow people to batch download based on patterns.
e.g.: Downloadthemall have something they call batch descriptors
http://andreamoz.blogspot.com/2008/11/downthemall.html
https://bugs.downthemall.net/ticket/1943 (Multiple batch descriptors results in downloads of 10000 files)
Is that guy a hacker too?
You can imagine how many people would go to jail for using such things.
This is why I doubt that if those judicial law clerks can’t do a simple batch download they could be called “sophisticated”.
Re: Re:
If an ordinary, but reasonably sophisticated computer user, like a typical judicial law clerk, had been assigned the task of compiling a list of e-mail addresses of iPad users available on AT&T?s servers, he almost certainly would not have been able to duplicate what Spitler did.
So, what would such a user do assuming a reasponable level of intelligence?
They would seek out someone with greater knowledge who would then supply them with the information required to do what Spitler did.
Re: Re: Re:
Not to mention that I think this is the most important aspect of the whole argument (paraphrasing copied from above article ’cause I’m lazy):
“Basically, they saw that AT&T handed out iPad IDs in numerical order”
They didn’t go “we want compile a list of e-mail addresses of iPad users available on AT&T?s servers”. They went “oh, that looks wrong, I wonder if their system really is that bad”.
Savvy or not, to replicate the actions you need to have someone who is looking to see what’s wrong with that picture, not someone looking to break a lock.
The key here is really in the wording.
“Wikipedia defines a ?password? as ?a secret word or string of characters used for user authentication to prove identity or access approval“
A password does NOT identify a user, it proves that the identified user is who they say they are.
The ID’s used by AT&T are not passwords, they are ID’s. To try to pretend those are the same things is just being clueless.
Re: Re:
There is a lot in the DOJ’s filing that is “just being clueless”. The problem is the judges typically aren’t tech savvy and think that if the DOJ argument makes sense then the person must be guilty even if they don’t understand how…
That’s why you see the DOJ referring to judicial law clerks as “reasonably sophisticated computer user”…
Re: Re: Re:
The DOJs definition of reasonably sophisticated must mean knows how to navigate the Internet by clicking on links. Knowing how to use a keyboard must make anybody a dangerous hacker in their minds.
There was this service online that allowed you to upload images, people discovered that if you upload two different images with he same name the server only updated the image file not the thumbnail.
Kids are kids and what did they did?
They start uploading sexy photos first to create a thumbnail of it and next upload a nasty photo of something, many got goatsed that way.
Kids, eternal source of amusement for me, for the DOJ they all are the source of criminals.
Re: Re:
Remember, all criminals were once (if not still are) kids!
So ban being as a felony to start saving time.
Bring out the child-catcher!
Re: Re: Re:
^”Ban being a kid as a felony…” bah!
the rules
The ‘rules’ about the User-Agent are defined in RFC2616:
The stated purposes do not include: tracking user activity, identifying individuals, authentication.
Re: the rules
well.. considering that the mandatory browser used on most government systems these days is Internet Explorer and that this browser is lying by default in its user-agent that it is “Mozilla” (when it obviously isn’t made by Mozilla), i think the DoJ has a HUGE problem of a barge loads of pots calling on a single kettle…
using DoJ’s logic: ALL the systems used by the DoJ/US Government and its agencies are illegal and ALL their computer users should be thrown in prison for lying in the user-agent. Start with Obama, please, he uses government computers too /:p
Re: the rules
“The stated purposes do not include: tracking user activity”
Erm, that might not be the stated purpose but they do appear to provide the tools:
“The field can contain multiple product tokens (section 3.8) and comments identifying the agent and any subproducts which form a significant part of the user agent”
Sure, section 3.8 states “They MUST NOT be used for advertising or other non-essential information”. But if you did this anyway, that would simply mean that they’re not RFC 2616 compliant, not that they’re suddenly not user agents – and AFAIK no law says that something needs to be compliant.
Every user of download managers that have batch download modes are criminals now, do the DOJ knows how many people use that exact same principle to download pictures of cats and videos?
All hackers now.
a unique identifier is surely a username not a password?
and for that matter as i make websites i fairly often have to change the way my computer works to see how sites work on other browsers – evil stuff like wine and vms.
Re: a unique identifier is surely a username not a password?
indeed more like a db-assigned numeric id which is akin to a username. Its goal is identification not authentication (i.e. validation of identity). There’s so much wrong with this brief it boggles the mind. Best of luck to weev’s lawyer.
No sale
There is nothing that would make me sympathetic to weev.
I’m offended that he gets a full share of our collective oxygen.
The Justice Department used the tax laws to get Capone. If they have to stretch logic to put weev away, I’m for it.
Re: No sale
So you are against the rule of law. I understand. The trouble is that once everyone is OK with law enforcement lying and distorting in order to obtain convictions, they will do so routinely for everyone, not just for people you personally hate.
Re: Re: No sale
Do you know who “weev” is? Do you know what he does? Do you know how many lives he’s destroyed?
If you want to test the limits of the use of this law, I suggest you find a test case that isn’t so utterly execrable and despicable.
I believe in the rule of law, but I also believe that there are monsters who would seek refuge therein.
Re: Re: Re: No sale
It doesn’t matter. He could be satan incarnate, and it would still be a bad idea to “stretch” the law just to provide a bit of retributive “justice”. Not because of who he is, but because that kind of “justice” will end up being applied to us all.
Re: Re: Re: First they came for the hackers...
Here’s a line from an old play, ‘A man for all seasons’, that you might want to think about before demanding that someone be taken out at all costs, even it it means bending, breaking, or creating new laws specifically to do so, just because you don’t care for them.
Sir Thomas More: What would you do? Cut a great road through the law to get after the Devil? … And when the last law was down, and the Devil turned round on you ? where would you hide, Roper, the laws all being flat? This country is planted thick with laws from coast to coast, Man’s laws, not God’s, and if you cut them down ? and you’re just the man to do it ? do you really think you could stand upright in the winds that would blow then? Yes, I give the Devil benefit of law, for my own safety’s sake!
(Emphasis mine)
Re: Re: Re:2 First they came for the hackers...
Especially as if you can’t even treat the Devil according to Law, then how are you any better than him?
Leaving aside the Devil is just following “God’s Law” 😉
Re: Re: Re: No sale
If weev has destroyed lives – multiple lives, even – then prosecute him for those laws broken.
If he managed to destroy lives without breaking the law, then it seems we need a new law.
Re: Re: Re: No sale
Do you know how many lives he’s destroyed?
That is simple – have him go VS someone who’ll fight back far harder than he will in the Courts.
Because if one wants to destroy – nothing like the power of Government.
Re: No sale
The Justice Department used the tax laws to get Capone. If they have to stretch logic to put weev away, I’m for it.
Fair enough. Just remember you stated that when the precedence set by a bad ruling in this case causes you or a loved one to be jailed for mistyping a url in a browser window.
Re: No sale
The tax law they got Capone on actually existed, and Capone actually violated it.
Re: No sale
“There is nothing that would make me sympathetic to weev. “
And nobody is asking you to be sympathetic to him, only to consider the bigger and far more important picture. If Weev’s online actions deserves punishment (as I absolutely believe they do), then he should be punished for those actions, and not trumped up charges that could result in a terrible legal precedent that will have chilling effects on legitimate online security research and be used to unfairly or disproportionately punish others that you don’t happen to dislike.
Re: Re: No sale
Holy shit. Ya’ll who replied to this post got trolled. Look at his posted name for God’s sake.
Even if some of ya made good points, you got worked up over sarcasm.
Re: Re: Re: No sale
Poe’s Law – there’s a lot of people who honestly believe that crap, even if he’s being a troll. But, if some good points came out of it, then it was not a waste of time and the troll managed to get some real value out of the conversation. Troll fail, methinks.
Re: Re: Re:2 No sale
Yes, I think the Sir Thomas More quote should be used as much as the Ben Franklin (?) one about giving up freedom for security.
Re: No sale
“The Justice Department used the tax laws to get Capone.”
…and Capone was actually guilty of what he was jailed for. They didn’t stretch logic to put him away, they simply prosecuted him for the crimes they could show he committed, rather than the more serious charges they suspected but could not prove he committed.
That’s a very different thing to what you’re supporting here, which is “there’s one thing we think he’s guilty of, and we’ll say whatever we can to make him guilty”.
“I’m offended that he gets a full share of our collective oxygen.”
I’m offended that someone who thinks that “I don’t like him” is a good enough reason to put him away gets a full share of our collective oxygen. Does that mean I can get rid of you?
I wonder what 4Chan have to say about you…
Pro hint:
Dear DOJ please use the following expressions in Google or Bing or Baidu or whatever to find more criminals like Mr. Weev.
Download manager batch download
Download manager batch download descriptors
Download manager batch download patterns
Ugh
I usually use Iceweasel, a variant of Firefox, as my browser. As a result, I routinely change my user agent ID to get around idiotic websites that use it to decide whether or not my browser will work with them.
I also routinely directly edit URLs, because in many idiotic websites, navigating that way is easier than clicking around all the time.
So I guess I’m a criminal too.
It’s the kind of security that can only be seen by those who are suitable to their position 🙂
Mike's arguments are similary ridiculous
>> Furthermore, they didn’t need to “ask permission” because they sent a request to the server and the server answered.
That’s irrelevant. If I failed to lock the door, this doesn’t mean that it’s OK to enter. It doesn’t matter that you made a “request” (turned the knob) and door-lock “answered”. It’s still trespassing.
>> It does this by arguing that because SQL injection attacks can happen via a URL, therefore any “hack” via a URL can be a malicious hack.
Argument here is presented incorrectly. What DOJ tries to tell, is that “mere URL” can be quite dangerous thing, depends on content, like in SQL-injection.
So, like in many other cases it’s matter of intent. If this guy is known to be “world-class jerk”, he will (probably) have hard time trying to prove that his intentions were harmless.
Re: Mike's arguments are similary ridiculous
That’s irrelevant. If I failed to lock the door, this doesn’t mean that it’s OK to enter. It doesn’t matter that you made a “request” (turned the knob) and door-lock “answered”. It’s still trespassing.
Extremely different. Turning a doorknob is not making a request — it’s physically opening. Sending a URL is (literally) making a request to a server to send info back. And that’s what happened.
What DOJ tries to tell, is that “mere URL” can be quite dangerous thing, depends on content, like in SQL-injection.
But that’s a total misread of weev’s argument. A “mere” URL as presented by the server and then incremented up or down is quite different than sticking an SQL injection command hidden in a URL.
They’re comparing apples and oranges.
Re: Re: Mike's arguments are similary ridiculous
Re: Re: Re: Mike's arguments are similary ridiculous
Here’s a much better analogy for you. Sending a request is like knocking on the door. The server responding is like someone inside opening the door and handing you something. Each ID was a door, and weev was knocking on multiple doors and all of them opened up and AT&T handed him something. Now the DoJ is trying to say weev was a criminal because he was knocking on multiple doors.
Re: Re: Re: Mike's arguments are similary ridiculous
Are you for real?
SQL injection involves carefully crafting a URL by inserting improperly formatted data so that the server misinterprets a piece of the URL as an SQL command instead of the original purpose that piece of the URL was responsible for. It is this misinterpretation that results in privilege escalation and subsequent unauthorized access.
That’s the big difference between SQL injection and what happened here. This “hack” provided exactly what the server was expecting, a perfectly valid properly formatted numeric identifier. There was misinterpretation of data by the server, no privilege escalation, and no unauthorized access.
Re: Re: Re:2 Mike's arguments are similary ridiculous
argh. Final sentence should say “there was no misinterpretation of data by the server”
Re: Mike's arguments are similary ridiculous
That’s irrelevant. If I failed to lock the door, this doesn’t mean that it’s OK to enter. It doesn’t matter that you made a “request” (turned the knob) and door-lock “answered”. It’s still trespassing.
Better example. I found the address of your home. I write a letter, and I put an address (i.e. URL) on the front of it. You receive my mail, write a letter of your own, and reply to me.
At what point does your reply to me constitute a felony on my part?
Re: Mike's arguments are similary ridiculous
A better analogy would be if my bank were left open in the middle of the night with the safe open and no cameras or security guards in sight. Anyone can just go in and rob the bank and take my money from it. So a passer by walks in and notices that the bank has no security.
This is not a private house. It’s more akin to a bank carrying everyone else’s information. When they carry my information I have a right to ensure that my information is secure and if I find insecurities everyone else has a right to know about them so that they can choose to act accordingly (ie: not do business with that company, remove their information from it, contact it, etc…).
I agree that the researcher probably should have contacted the company first in secret (if he didn’t). But these days a possible response is that the company
A: Won’t fix the vulnerability and will likely ignore it
B: Will sue the white hat hacker upon publicly revealing the vulnerability.
These corporations did this to themselves and they deserve the fact that no one ‘plays by the rules’ because the rules are broken and written by corporations and the corporations never play by them anyways and they get away with it. The rules should be that the corporations get punished by the law for having such disregard for the security of their users. But no, our laws are backwards.
Re: Re: Mike's arguments are similary ridiculous
Oh god no that’s an even worse analogy. Don’t try to confuse this with stealing money, or in fact anything. You’re not wandering into something or sneaking past security, you’re asking if you can go in and answered in the affirmative.
If people really want an analogy, it’s like asking if you can enter an apartment building to visit a specific apartment. You’re only “meant” to ring the bell of the apartment of the person you’re intending to visit, but you’ve worked out that if you press any of them you can get in if there’s someone to answer. So you’re “hacking” the security system by the DOJ’s logic here but all you’re doing is making a request (to be allowed into the building), which is answered and authorised, even if you’re doing it in the correct way.
It’s still a very flawed analogy that doesn’t cover what you do once inside the building, of course, but most reasonably people wouldn’t count the bell ringing as breaking and entering. Weev’s actions are more akin to having noted down the names on the lobby mailboxes once he gained access.
“These corporations did this to themselves and they deserve the fact that no one ‘plays by the rules'”
I agree. If only the response to this was “suck it up, corporation and learn from your mistakes” rather than “we must prosecute this person as a lesson to others not to notice security flaws”….
Re: Re: Re: Mike's arguments are similary ridiculous
“Don’t try to confuse this with stealing money”
I didn’t say that the passer by stole money just that they noticed that there is no security.
“So a passer by walks in and notices that the bank has no security.”
‘Stealing money’ in this analogy would sorta be if the person used the private information gained for financial gain.
Re: Re: Re:2 Mike's arguments are similary ridiculous
“I didn’t say that the passer by stole money just that they noticed that there is no security.”
Well, you did say the following directly before that:
“Anyone can just go in and rob the bank and take my money from it.”
Sorry if I misinterpreted you, but that’s why these things can often turn into arguments about something they’re not. It’s a bad analogy because you introduced the concept of crimes far more severe than the one that happened and thus change the scope of the discussion.
” ‘Stealing money’ in this analogy would sorta be if the person used the private information gained for financial gain.”
True, but you’re using the analogy to describe a situation where – as far as I’m aware – that did not happen, so it doesn’t belong. Even if it did, weev would have been trying to get money from exposing the security flaw, not by simply robbing the data/money behind the flawed security.
I understand what you were getting at, but the analogy was not appropriate.
Re: Mike's arguments are similary ridiculous
“Mike’s arguments are similary ridiculous”
Why is it that people who disagree with Mike’s points not only act like assholes about it, but fail to understand the technology themselves?
“t doesn’t matter that you made a “request” (turned the knob) and door-lock “answered”.”
This is a horrific analogy that misunderstands at least 2 major technical points. Other have corrected you below, but FFS if you’re going to discuss things with bad analogies at least try not to be a dick about it.
“If this guy is known to be “world-class jerk”, he will (probably) have hard time trying to prove that his intentions were harmless.”
…and this kind of attitude is exactly why these attacks on due process and rights are so dangerous. You’re not only supporting a “guilty until proven innocent” approach, but supporting “I don’t like that guy” as a valid reason for prosecuting in the first place. How do you think this will ever end well?
Re: Re: Mike's arguments are similary ridiculous
Re: Re: Re: Mike's arguments are similary ridiculous
“What a judge does, is another thing entirely.”
Yes, he evaluates all evidence before him and judges depending on that, which may or may not include character evidence depending on the crime at hand. Not whether or not he personally likes the guy.
“Only human can decide whether you killed someone in cold blood or just was careless.”
…and that human will be evaluating all available evidence, including witness statements, video evidence, physical evidence at the scene, among other things. Character evidence may be used to sway a verdict where such evidence is absent or unclear, but it’s not used where such evidence is clear. Who cares what kind of an asshole someone is when there’s video evidence showing it to be a clear accident?
You suck at analogies.
“If you’re already convicted in murder felon, you will have very hard time arguing “just careless”.”
What, exactly are you interpreting from my words? Not what I’m saying, since you managed to come up with the exact opposite. YOU were the one trying to say he should be assumed guilty unless proven innocent (“prove that his intentions were harmless”). How you managed to come up with the idea that I was saying he should be arguing intent after conviction is beyond me.
So, it looks like your grasp of the arguments in front of you are as poor as your grasp of the technology (which you didn’t defend, by the way – interesting). I’d agree that someone as reactionary and ill-informed as you should not be hearing this particular case, but other than that you’ve not really made an argument.
Re: Re: Re: Mike's arguments are similary ridiculous
Yes, but the person should always be prosecuted according to actual laws, not based purely on personal dislike or rules the prosecution made up.
The DOJ will crash and burn on this one…I hope.
Instructables: Tammy’s version of the crashed witch in the wall
Ugh
The guy exploited a vulnerability in a third party system to collection personal information on thousands of people. I’m pretty sure that’s exactly what the CFAA was written for. Your argument seems to be “it was so easy it can’t really be criminal.” This wasn’t some automated script that accidentally found a hole, it was targeted and intentional.
Re: Ugh
Except this wasn’t done maliciously otherwise Weev wouldn’t have gone public with the information. Not contacting AT&T doesn’t matter, since there’s no law saying that if you find a security flaw you must contact the relevant company.
Re: Re: Ugh
Re: Re: Re: Ugh
However, this occurred after weev had informed AT&T of the issue in AT&T’s own words.
Anything else is irrelevant, as any ethical hacker has an obligation to confirm that their findings have been acted upon.
Any company that doesn’t act on this, really, deserves everything they get, and that would apply even if I were directly affected. Would I be happy about it? Hell no! But the company would be the one I blamed in a similar situation.
Re: Re: Re: Ugh
I don’t think you understand what the DOJ is doing in general and more specifically with the CFAA. The federal court system has moved away from using intent as a critical element of a crime. Weev was charged with conspiracy to commit unauthorized access as well as fraud. The unauthorized access charge does not require them to show intent one way or another,just that the access was unauthorized. Thus, the technical explanation of how the access occurred is the core of the argument. The fraud charge does require intent and this is why the DOJ uses pained logic to show that Weev benefited from disclosing the vulnerability. The trouble is that that logic can apply to any, I repeat, any security researcher who discloses a vulnerability. It doesn’t matter if the disclosure is full disclosure or responsible disclosure the researcher can be convicted of a crime because at some point they had to confirm the vulnerability by using it.
Re: Re: Re:2 Ugh
more specifically with the CFAA. … The unauthorized access charge does not require them to show intent one way or another,just that the access was unauthorized.
So if you have a list of IPs that you have banned because of spam and put up a banner in the SMTP daemon saying ‘this IP is banned, disconnect now’ and the email gets sent – is that a CFAA violation?
Re: Re: Re: Ugh
attack on reputation is not criminal though. it is a civil dispute.
Re: Re: Re: Ugh
“Now, going public can be seen as malicious (attack on reputation, for example).”
It’ll be a terrible day for internet security when damaging a company’s reputation by revealing their security weaknesses is seen as a bad thing. Company’s entrusted with their customers’ private data should be under constant and meaningful scrutiny, and should never be led to believe their reputation is more important that their customers’ privacy. In fact the fallout from a malicious data breach is arguably far more damaging to a company’s reputation than fixing a publicly exposed security flaw.
“Basically, that’s why courts are ruled by judges (or juries) and not by machines…”
Judges are there to ensure the law is followed. Punishing historic trollish behavior, no matter how despicable, would not be following the law in question.
Re: Ugh
The critical point that distinguishes access of a computer from unauthorized access is the authorization step. The DOJ is bending over backwards to try to show what they did was unauthorized and so now pretend that an ICC-ID is a password. This ignores the fact that accessing your ATT account for an Ipad 3G requires a real password. ATT automatically filled in the email address whenever a server request was sent to get the page that asked for the password. A violation of the CFAA requires unauthorized access. How can the DOJ claim the the ICC-ID is a password when the very next step in the process of accessing an ATT account requires a real password. Spitler and Weev never accessed anyone’s account.
Re: Ugh
Target and intentional kind of, curiosity is a good thing most of the time, further there needs to be malicious intent here to be criminal, which is lacking.
If anybody that is capable to add numbers could have done it, the problem is not with the people who do it is with the system that allows it.
Now where is the harm caused by the actions of the people involved here? did they do anything malicious? did they defraud anybody?
Nope than there should be no problem, what they did was to expose and make public a security problem, which most of the time is a good thing.
Re: Ugh
You apparently aren’t that technical, but to us programmers this is like charging someone with B&E when all they did was trespassing.
In case you don’t know the difference between those, one involves a locked door and the other an unlocked one. Big difference as there should be.
Re: Re: Ugh
“You apparently aren’t that technical, but to us programmers this is like charging someone with B&E when all they did was trespassing.”
No, to us programmers, it’s like charging someone with B&E when all they did was knock on the door, someone answered, and handed them something.
The whole model of URL as physical spaces is ridiculous, though. There is no physical space at a URL. Anything that’s available on the internet and not passworded IS BEING BROADCAST ONTO THE INTERNET ON PURPOSE.
The real metaphor is this: Weev changed the channels on his cable box a few times, and came across AT&T broadcasting their customers’ private information.
Re: Ugh
This wasn’t some automated script that accidentally found a hole, it was targeted and intentional.
No. It’s a guy that saw something that looked like a potential security hole, and then wrote a script to verify that it was the case so that he code report on it.
It’s illegal to lie to inanimate objects?
Re: Re:
If law enforcement persists in its trend to hire the braindead …
Re: Re:
It soon will be. The law makes it illegal to “disobey” inanimate objects, like stop lights. Our laws have gotten to the point where man must now obey machine.
Oh poor weev
It looks like Karma came back around. Weev is an unmitigated asshole and a should be in jail for what he did in the past. If he had been some anonymous guy who accidentally found this information, I have a feeling this would be handled differently. He should really be in federal pound me in the ass prison.. so maybe he can see what it feels like to be scared to death and frightened 24/7.
Re: Oh poor weev
“It looks like Karma came back around. Weev is an unmitigated asshole and a should be in jail for what he did in the past.”
All completely correct. Unfortunately Karma is a terrible way to run a justice system. Getting what you deserve shouldn’t have significant negative consequences for everybody else.
and before long, someone is going to shoot one messenger too many and there’s gonna be some serious shit splattered about! all this and similar law suits are about is finding someone, anyone, to be the fall guy and the company concerned as having done all they possibly could to secure their systems and customer info, but some nefarious ass holes, using all manner of illegal methods, managed, after hours of trying, to break in and steal some details, some info, that wasn’t sitting out front with a ‘pick me’ label on!
the really sad thing is that Obama was going to protect ‘whistle blowers’ and instead just shit on them! and just a few days ago, one of the security agencies wanted people to start spying on neighbours. anyone that did this must be out of their trees! the first ones in jail would be them, while those being spied on would be laughing their bollocks off!!!
DOJ: “AT&T did not design its system to allow these email addresses to be made public”
This is a very fundamental misunderstanding of computers. Unfortunately even technologically literate make it all the time. I learned the lesson when I first was learning to write code:
“A computer will always do exactly what you* tell it to do. It will not do what you mean it to do.”
It follows your instructions exactly – any mistake it seems to make was the result of an instruction it got and followed as designed. It’s another form of the ‘you can’t blame the tool’ argument.
*you is the user, in conjunction with the programmer of the application, and however many other levels of coders and system builders it takes for you to get down to the physical hardware.
ICC-IDs
The ATT/Apple assignment of ICC-IDs are not sequential. There is a number space of 100 billion to 100 trillion within the overall 20 digit ICC-ID set that is assigned to Apple. At that time there were (I think) roughly 200,000 ICC-IDs assigned in this block. They are assigned somewhat randomly from chosen sub-blocks.
Owners of an iPad 3G must provide an email address, billing address, and a password to complete registration and activate AT&T?s 3G service. When users log-in to the AT&T website for 3G subscribers they must provide that email address and password. AT&T made this process easier by automatically pre-populating the email address on the log-in page. A twenty digit ICC-ID (Integrated Circuit Card Identification) number uniquely identifies the SIM (Subscriber Identity Module) card of any device with cellular network connectivity. The iPad browser?s HTTP request for the log-in page, contained the iPad?s ICC-ID in plain text within the URL. The browser?s ?user agent? (a portion of the HTTP header) is one specific to an iPad. When the ATT server received such a request from an apparent iPad it would return the log-in page with the correct email address already supplied as long as the ICC-ID was one that matched a registered user. This feature, that made logging easier, also made it insecure. Note, that the email address is supplied before any authentication is done using a password.
How does one collect email addresses from multiple ICC-IDs? One way is to, sequentially, go through all the potential ICC-IDs and collect the emails received from the relatively few requests that were successful. Of the twenty digits the first two represent the Major Industry Identifier (MII, 89 for telecommunications). The next two are a country code (CC, 01 for the US). The next 1-4 digits are for the issuer, which is Apple in this case. These are not published but every iPad reveals one of them. This leaves 11-14 digits for the account number. The final digit is a check digit for error detection. So, one has to go through, roughly, 100 billion to 100 trillion ICC-IDs to find all the valid ones for Apple iPads. That is a pretty large number. Daniel Spitler wrote a simple PHP script that was colorfully named “the iPad3G Account Slurper”, to automate the procedure. The set of valid ICC-IDs are not sequential. After some initial success they were having a problem finding valid ones. They guessed that the iPad 3G used ICC-IDs from different blocks of numbers. The ICC-ID is printed on the SIM, so they guessed these blocks based on Daniel Spitler?s iPad, those of acquaintances, and from public pictures of the iPad 3G shown on Flickr and other photo websites.
An app could have been written for the iPad. Since it would be unlikely such an app would be approved by Apple this would have to done with a jailbroken iPad. Such an app would still need to ?spoof? the ?user agent? of the browser for the iPad. Another option is to write a script for use on a computer that is not an iPad and, again, utilize a spoofed ?user agent?. Whichever approach was taken, the result was that, altogether, approximately 120,000 email address/ICC-ID pairs were collected over a period of several days from June 3, 2010 up to June 8, 2010.
Note that Spitler identified the sub-blocks that Apple used by finding ICC-IDs from pictures of Ipads on Flickr. If the ICC-ID were a password why would people post this number publicly on their Flickr account? Also, the painfully obvious flaw in the DOJ’s argument about ICC-IDs being passwords is that a real password was required right after ATT so helpfully filled in the email address in response to a valid ICC-ID.
responsible disclosure, contacting ATT
The crux of responsible disclosure is that the company responsible for the faulty software or hardware is notified of the security vulnerability and given a reasonable amount of time to fix it before the vulnerability is made public. This actually happened in this case. Neither Weev nor Spitler directly notified ATT. However, they did wait until the vulnerability was fixed before Weev gave Ryan Tate of Gawker the list of email/ICC-ID pairings. Weev sent emails to various members of mainstream media whose email addresses were included in their acquired list. For each media person he included only their own email/ICC-ID in the email he sent. He also invited them to interview him about the ATT security breach. In this way he was indirectly notifying ATT of the breach as well as attempting to garner more publicity. Weev and Spitler waited until they could no longer repeat the retrieval of email addresses with their slurper program before contacting Ryan Tate. This meant that ATT had closed the security vulnerability.
Mmm, begging the question...
Actually, it does not “beg the question”. Pet peeve of mine. It’s funny, because if you look up “begging the question” on wikipedia (they were already there, looking up “password”), you would see that begging the question is actually…well, I’ll just let Robert Graham handle it.
Re: Mmm, begging the question...
Yeah, this is one of my pet peeves, too, although I have pretty much given up on it. But, for the record, “begging the question” means an answer to a question that itself raises the same question. It is an incredibly common logical fallacy. A great recent example is from the same-sex marriage debate: asserting that same-sex marriage should not be legal because marriage is a union between a man and a woman is begging the question.
The argument that the ICC-ID is not a password raises the question of what counts as a password.
Re: Re: Mmm, begging the question...
Exactly – begging the question == circular logic. I’ll have to remember your SSM example, as I always have trouble trying to provide examples of circular logic, because it’s so darn stupid and I can’t bring myself to that level of stupidity easily.
I probably wouldn’t have said anything either, if not for Mr. Graham’s quote containing the definition of “begging the question”.
To those that say...
…that weev “deserved” to go to jail, no matter what he did:
More: What would you do? Cut a great road through the law to get after the Devil?
Roper: I’d cut down every law in England to do that!
More: Oh? And when the last law was down, and the Devil turned ’round on you, where would you hide, Roper, the laws all being flat?
(From the movie A Man for All Seasons, 1966)
The same with all government: you’re a criminal if you break the rules that they made up.
The DOJ won’t obey the rules of the court? Declare mistrial; have the case dismissed.
When corporations practice poor security why do those that discover their vulnerabilities get penalized. The law should punish the corporations for not properly protecting their users instead. This is negligence on their part.
Appeal Consequence
If Weev has a successful appeal, (this I doubt)
this will damage use of the CFAA and there would be in the records of a court proof that AT&T had stored confidential customer in a dangerous insecure way. The consequence ought to be customers suing AT&T for putting their real identities and good names at risk.
Re: Appeal Consequence
The real consequence should be customers leaving AT&T for a more competent competitor and them losing money as a result. The market speaking would be preferable to lawsuits.
However, this would assume both that AT&T have real competition and that the average consumer is both willing and able to understand the security problems introduced to the degree where they’d be spurred into action – neither of which is sadly likely.
Same as bank robbery
If you are walking down the street, and you find a bank with it’s vault wide open and no one in site, (a gaping security hole), you are no less a criminal if you help yourself to the money within.
It’s the exploitation of the security hole that is a crime, not the hole itself.
I am sure you would NOT be let off if you told the judge “the bank and vault was wide open, and there was no security guards, therefore I am innocent !!!” ..
Yea right..
HELD FOR MODERATION
How long do you intend to be a free speech and censorship abuser and zealous thug ?
Just wondering, I guess you are proud and protecting of your ‘powers’ to censor, and your ability to stifle open debate and free speech !!!
At least change the message to read correctly !!!
HELD FOR CENSORSHIP
HELD BECAUSE I FEAR FREE SPEECH AND OPEN DEBATE.
HELD FOR CENSORSHIP
Thanks for your comment.
It will be reviewed by our staff before it is posted.
No, Mr Masnick THANK YOU for displaying your willingness to abuse free speech and censorship, and displaying to your readers that you are as big an abuser of free speech and censorship that ANYONE you write about.
Thank you for displaying that abuse in such a clear concise manner, and showing (eventually) that you are certainly NOT above such abuses..
In fact you employ the abuse of censorship to stifle free speech..
THANK YOU… you must be so proud of yourself !!!
Re: HELD FOR CENSORSHIP
I don’t know what jackass universe you live in where “reviewing” is “censorship”, especially since when your verbal vomit is inevitably posted.
I wish Masnick would censor you for real so you can see what it looks like, fuckface.
DOJ and AT&T are off-base here
Iterating a user number is standard practice when evaluating the security of a given system, and is something that many information security professionals routinely do – even for their personal device accounts.
unconstitutional it is
Constitution of the United States, Article I, Section 9, paragraph 3:
“No Bill of Attainder or ex post facto Law will be passed.”
How Weev's prosecutors are making up the rules By Robert Graham
Much was said well in Mr. Graham’s article about the illogic of the government’s argument about “hacking.” But on the issue of the government brief exceeding the word limit for briefs filed in the Third Circuit, nothing was said as to whether the government lawyers sought, or not, the Court’s permission to exceed the normal word limit. And the article only assumes that Mr. Auernheimer’s attorney(s) needed to exceed the 14,000 word limit, and somehow were unfairly denied permission to submit a lengthier brief.
Wikipedia as a source for legal briefs
If (as is allowed) someone changed the Wikipedia page referenced, then I would think that the brief would then be a lie. Not that it isn’t already…