Prosecutors Admit They Don't Understand What Weev Did, But They're Sure It's Like Blowing Up A Nuclear Plant

from the wtf? dept

We’ve been covering the ridiculous DOJ case against Andrew “weev” Auernheimer for quite some time. If you don’t recall, Auernheimer and a partner found a really blatant security hole on AT&T’s servers that allowed them to very easily find out the email addresses of iPad owners. There was no breaking in to anything. The issue was that AT&T left this all exposed. But, with a very dangerous reading of the CFAA (Computer Fraud and Abuse Act) and a bunch of folks who don’t understand basic technology, weev was sentenced to 3.5 years in jail (and has been kept in solitary confinement for much of his stay so far). Part of the case is complicated by the fact that weev is kind of a world class jerk — who took great pleasure in being an extreme online troll, getting a thrill out of making others miserable. But that point should have no bearing on whether or not exposing a security hole, by basically entering a URL that AT&T failed to secure, becomes a criminal activity.

Throughout the case, it’s been clear that the DOJ was trying to make up an interpretation of the law that had no basis in the actual technology world. And it became abundantly clear at a hearing before the appeals court concerning weev’s case, that the DOJ really has no idea what weev did. They’re just sure it’s bad because it involves computers and stuff. Seriously, as reported by Vice:

“He had to decrypt and decode, and do all of these things I don’t even understand,” Assistant US Attorney Glenn Moramarco argued.

Say what? If that’s the basis for being declared a felon and locked up for 3.5 years, almost everyone is a felon. It’s likely that under that “standard” Moramarco himself is a felon, because I’ll bet he “decrypts and decodes and all of these things he doesn’t understand” on pretty much a daily basis. But, a tip to the US Attorneys’ office: when prosecuting a computer crime, you might want to at least try to have someone who actually understands the fundamental basics of what the person you’ve locked up has done.

But, Moramarco apparently doesn’t want to let his complete ignorance of what actually happened (someone putting a URL into a box and seeing the page that AT&T failed to secure) to get in the way of insane hyperbole about what he thinks weev did:

In its opening statement, the government made an incendiary comparison that seemed to reflect the nature of its understanding of the crime: the prosecution compared Auernheimer’s deeds to hackers “[blowing] up a nuclear power plant in New Jersey” in an attempt to illustrate how it was a relevant venue.

Yes, apparently exposing the fact that AT&T left its customers’ info wide open to anyone is the equivalent of blowing up a nuclear power plant. Yikes.

As the article notes, much of the hearing actually focused on the question of venue, and it appears that weev may get off on something of a technicality. Prosecutors had moved the case to New Jersey for no known reason and so it may get rejected for being the improper venue, which potentially could mean that the appeals court never even addresses the issue of just how badly the DOJ twisted the CFAA to bring down weev. The judges appear to be considering this, as they noted that based on the details of the case, there was no apparent connection to New Jersey and no reason why the DOJ couldn’t have brought the case anywhere (one judge apparently mentioned Hawaii).

The case is important because of all the CFAA abuse we’ve seen by the DOJ over recent years, and now it sounds like the appeals court may be able to just skip over that issue entirely. Given the DOJ’s own admissions of its lack of understanding about weev’s actions, that actually might be the best thing for the DOJ, allowing it to continue to make completely bogus CFAA arguments to take down technologically sophisticated people that the DOJ doesn’t like and doesn’t understand.

Filed Under: , , , , , , , ,
Companies: at&t

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Prosecutors Admit They Don't Understand What Weev Did, But They're Sure It's Like Blowing Up A Nuclear Plant”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Someone please

the prosecution compared Auernheimer’s deeds to hackers “[blowing] up a nuclear power plant in New Jersey” in an attempt to illustrate how it was a relevant venue.

How in the nine circles of hell is that considered an admissable, non-inflamatory comment?

Because the defense attorney was not smart enough to object?

That One Guy (profile) says:

Re: Re: Someone please

Maybe he was too busy trying to pick his jaw off the floor after hearing such an insane, over the top accusation.

But yeah, the defense attorney should have objected very loudly, and very clearly, over such a blatant attempt at poisoning the jury against his client by comparing his action to something that’s not even remotely similar.

Michael (profile) says:

Re: Re:

Somewhat like the power plant leaving the doors open to the storage area with all of the fuel rods and he pulled up in a truck, took a big pile of them, and then proceeded to park in front of the power plant security gate and hold up a sign that said “free fuel rods”.

Except with less chance of radiation sickness.

PRMan (profile) says:

Re: Re:

Imagine a whole neighborhood of houses. The power company tells you that they put a note on your door telling you when your power would be out. On that note, you realize that they put your name, address, phone and SSN.

You then decide to go to your next door neighbor’s house. You see that his name, address, phone and SSN are posted on his door too. You then realize that you could go around the neighborhood and get anyone’s full contact information.

So you go on a blog and say “The Power Company are idiots. They exposed everyone’s data. What a bunch of stupid fools!”

Then they arrest you (for 3.5 years and put you in solitary) for breaking into every house in the neighborhood, even though all you had to do was go to every address and look at the posting on the front door.

The prosecutors then say that because of your awesome B&E skills, you could have just as easily broken into the nuclear power plant and caused a meltdown.

Rose M. Welch (profile) says:

…the definition of ‘hacking’ has been updated.

hack, verb
1. to cut and clear (a way, path, etc.), as through undergrowth
2. to cough in short dry spasmodic bursts
3. to manipulate a computer program skilfully, esp, to gain unauthorized access to another computer system
4. to use a computer in a way that observers do not fully understand or do not like

Anonymous Coward says:

Re: Re:

And this is why, when I find security holes, the very LAST thing that I do is mention them to the responsible party. I don’t work for them. I don’t owe them anything. And chances are good that if I try to help them out, they’ll respond by calling the feds.

So screw that. I keep them to myself and enjoy a good chuckle when days or years later it turns out that someone else found the same holes and exploited them.

I’m sure I’m not the only one doing this. The aggregate effect, of course, is that it makes the Internet less safe for everyone. But I’m not going to risk being the next weev. Not worth it.

So when you read about the next seventeen security breaches involving data loss incidents, you might wonder how many of those could have been avoided if unethical lying incompetent computer-illiterate assholes like Glenn Moramarco weren’t given the power to destroy lives.

John Fenderson (profile) says:

Re: Re: Re:

“The aggregate effect, of course, is that it makes the Internet less safe for everyone. But I’m not going to risk being the next weev. Not worth it”

If you really want to do a public service and alert companies and people to software vulnerabilities you’ve found, there are numerous ways to do that anonymously. You don’t have to risk a thing.

Ed Allen (profile) says:

"Ignorance of the law" by the prosecutor

Jurors are picked to have no knowledge of the subject of a
trial but if the judge and the prosecutor lack knowledge as
well then what purpose is the trial ?

“Ignorance of the law” by the prosecutor ought to be grounds for a
case to be dismissed if we had a system whose aim is Justice instead
of prosecutorial head count !

That is one of the functions of Jury Nullification. But
both judges and prosecutors try hard to prevent jurors
even hearing about that.

Anonymous Coward says:

so, who actually brought the case for prosecution? i am assuming it was AT&T? if that is the case, i sincerely hope there is something further wrong with what they have for a website, it is found but not (obviously after this episode) reported and proves to be rather costly for AT&T.

the really sad thing is that in return for exposing the flaw, people have been reported to the authorities by the company concerned. instead of holding up hands and getting all embarrassed, they have crucified those who wanted only to help. i fail to see how any amount of embarrassment can be worth removing 3.5 years of someone’s life from them!!

i also fail to see why the DoJ has gone after the guy rather than the company, which is clearly in the wrong, when it is supposed to be ‘the justice dept’! but then, helping important industries seems to be even more important to them than actually following the law!

aldestrawk says:

Re: Re:

Although the prosecution was brought by federal prosecutors within the DOJ, this case was initially investigated by the FBI at the behest of AT&T. I don’t think one can minimize the influence of AT&T in getting the government to pursue this case, although the details of that influence will probably never be known publicly. The case was, and is, such a weak one that never should have been pursued. Recall two people were charged; Andrew Auernheimer (Weev) and Daniel Spitler. Spitler pleaded guilty to the charges and was sentenced to 3 years probation on January 24, 2014. Compare that to 41 months of prison for Weev. This is yet another example of how people are severely punished, particularly in federal court, for fighting the charges against them.

I will provide the following timeline that shows how quickly the FBI got involved.

June 3, 2010 – June 8, 2010: Spitler and Weev collect email address/ICCID pairs.

June 6, 2010: Weev send emails to a handful of top media personnel whose emails were collected. He briefly explains how he came to know their email address and invites them to interview him. Weev explained that this was his way of, indirectly notifying AT&T of the security vulnerability.

June 7, 2010: AT&T is notified of the security breach by a ?business customer? who is not identified by AT&T.

June 8, 2010: AT&T has stated that they fixed this vulnerability, by Tuesday, within hours of being notified of the problem. They did this by disabling or removing the code which pre-populated the log-in page with an email address.

June 9, 2010: Weev contacts Ryan Tate of Gawker gives him the list of email address/ICCID pairings and details about their uncovering of AT&T’s security hole. Gawker publishes and article that very afternoon including a handful of redacted pairings that were for notable people.

June 10, 2010: Gawker is contacted by the FBI and issued a formal preservation of evidence notice.

You can see that the FBI was involved very early on. I can imagine that they were contacted by some executive at AT&T as soon as AT&T had learned of the breach.

Just Another Anonymous Troll says:

If doing some computer stuff of questionable legality= 3.5 years in jail.
And blowing up a nuclear plant= doing some computer stuff of questionable legality.
Then, by the transitive property, blowing up a nuclear plant= 3.5 years in jail.
I sense incoming terrorism directed at nuclear plants, as blowing one up should only be a 3.5 year sentence. *Insert happy NSA armed with justification for spying on completely innocent people*

Lurker Keith says:


I’ve been to sites that assign pics numerical identifiers, such that the only difference between some pics’ URLs is a chain of numbers at the end. Quick uploaders have been able to get related pics (say panels of a comic) to be in numerical sequence, which lets me navigate a comic just by changing one number in the URL (that way I can look at the full image, rather than the pic in whatever reduced size their viewer shows it in… for comic panels, some of the words can be down right impossible to read in the smaller size).

From what I remember & the recap, it looks like that’s all this guy did. He noticed a numerical ID, presumably when he logged in, & changed his to something else to see what would happen, & then reported the problem.

HOW ON EARTH IS THAT ILLEGAL IF HE REPORTED IT TO WHO HE WAS SUPPOSED TO? URLs have already been said to be public (they can’t be copyrighted, for instance), so entering one or a chain shouldn’t be a crime. How does finding a few URLs that someone screwed up the security on & pointing that out equate to jail time?

This is exactly how I would have defended myself if it were me, & probably gotten a jury to actually understand what was done. If it’s legal on one site, the identical thing can’t be illegal on the other. If it is, the law is broken.

madasahatter (profile) says:

Blowing up nuclear power plants

The prosecutor does not understand computers also knows nothing about nuclear reactors. Nuclear reactors, as designed, will not suffer the implied nuclear detonation. One of the worst case scenarios is overpressurization of the steam in the reactor causing the pressure and containment vessels to burst. Not a very easy to do in practice. The net effect would be a dirty conventional bomb. Nasty for those near by and to certain extent downwind, but no mushroom cloud.

John Fenderson (profile) says:

Re: Blowing up nuclear power plants

“Nasty for those near by and to certain extent downwind, but no mushroom cloud.”

Chernobyl says “who, me?”

A disaster like that is indeed very difficult to pull off, but to minimize the effect of it like that is misleading. The presence/absence of a mushroom cloud isn’t important. Chernobyl demonstrates that such events can have a very wide effect, not just for those nearby.

Regardless, comparing what weev did to that sort of thing is just plain idiotic.

Anonymous Coward says:

Re: Re: Blowing up nuclear power plants

The French tried to explain until they were blue in the face back then that a nuclear reactor CANNOT EXPLODE. To their ruin, it ruined a lot of their nuclear industry (the Chernobyl thing).

Think about it, research it. The reactor at Cernobyl just disappeared, ceased to be, after an explosion. Russians (and Ukrainians and Belorussians in general know what’s up on this one).

A lot like Fukushima.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...