Expose A Blatant Security Hole In AT&T's Servers, Get 3.5 Years In Jail

from the now-the-holes-will-be-open-longer dept

We've written a few times about the case of Andrew Auernheimer, perhaps better known as weev. While he has a bit of a reputation as an online troll, and self-admitted jerk, his case is yet another example of how ridiculously broken the CFAA (Computer Fraud and Abuse Act) remains. In this case, what he did was expose a pretty blatant security hole in AT&T's servers, that allowed anyone to go in and find the emails of any AT&T iPad owner, merely by incrementing the user ID. This isn't a malicious "hack." It's barely a "hack" at all. This isn't "breaking in." This is just exploring a totally broken system. To call attention to this, weev collected information on a bunch of famous folks who had iPads and alerted the press. This is what security folks do all the time. And for his troubles in helping AT&T discover and close a pretty bad security hole, he's been sentenced to 41 months in prison plus he has to pay $73,000 to AT&T. One hopes AT&T will use it to hire half a decent security person or something.

The sentencing, by the way, was near the top of the "guidelines" the judge had, for those who insisted that the courts in other CFAA cases, such as Aaron Swartz's might be lenient.

Plenty of people -- especially in the security community, are realizing what a ridiculous ruling this is and how dangerous it is. As people are starting to point out, while he may be a jerk, that doesn't mean he's a criminal. The prosecution used chat logs in which Auernheimer and a friend, Daniel Spitler, discussed the effort, and the fact that they talked about harming AT&T's reputation and promoting themselves as security experts. I don't see how that leads to any criminal activity though. AT&T's reputation should be tarnished for having crap security. And why wouldn't some researchers talk about using the discovery of a really bad privacy hole by a major corporation to boost their own credentials. Pretty much anyone in their shoes would reasonably think the same thing.

Prosecutors, of course, played up Auernheimer's history of being a jerk, but that alone has little to do with his actions here:
"His entire adult life has been dedicated to taking advantage of others, using his computer expertise to violate others' privacy, to embarrass others, to build his reputation on the backs of those less skilled than he," wrote U.S. Attorney Paul Fishman, who went on to note the "atypical recalcitrance by the defendant to conform to the laws regarding unauthorized computer access."
While that may be true, none of that, by itself, is illegal. And the actions that exposed a glaring hole put in place by bad programmers at AT&T shouldn't be either.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    That Anonymous Coward (profile), Mar 19th, 2013 @ 3:39am

    Embarrass a corporation or the Government and go to jail.
    Expose stupidity, go to jail.
    Expose duplicity, go to jail.
    Expose the destruction of citizens freedoms, go to jail.
    Destroy the economy, get handed lots of cash.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Roverandom, Mar 19th, 2013 @ 5:24am

      Re: Then again

      By the same token...

      Act like a jerk for many years
      Build a reputation for being a real asshole
      Piss off a lot of innocent people
      Actively make enemies whenever possible
      Openly defy anybody to do anything about it

      ...and first chance you give them an opening to take a shot at you, what else can realistically expect? Build up a big enough negative balance in your "payback account" and sooner or later somebody will call in the loan.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        silverscarcat (profile), Mar 19th, 2013 @ 5:44am

        Re: Re: So what?

        Last time I checked, acting like a jerk didn't mean that you had to go to prison.

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Mar 19th, 2013 @ 5:55am

          Re: Re: Re: So what?

          "Last time I checked, acting like a jerk didn't mean that you had to go to prison."

          If it was, my entire condominium board would be serving life sentences.

           

          reply to this | link to this | view in chronology ]

        •  
          icon
          tomxp411 (profile), Mar 19th, 2013 @ 10:26am

          Re: Re: Re: So what?

          Acting like a jerk isn't a crime, but I do think that it speaks to his intentions and state of mind when he was playing around on AT&T's servers.

          And I am guessing the judge thought the same thing.

           

          reply to this | link to this | view in chronology ]

          •  
            icon
            silverscarcat (profile), Mar 19th, 2013 @ 1:52pm

            Re: Re: Re: Re: So what?

            And suddenly everyone is either psychic or a psychologist with 10 degrees of study on the human psyche.

             

            reply to this | link to this | view in chronology ]

            •  
              icon
              btr1701 (profile), Mar 20th, 2013 @ 9:43am

              Re: Re: Re: Re: Re: So what?

              > And suddenly everyone is either psychic
              > or a psychologist with 10 degrees of study
              > on the human psyche.

              Well, if this was the one time he wasn't acting with ill intent, then he has only himself to blame for creating that expectation in others with his lifetime history of assholery.

               

              reply to this | link to this | view in chronology ]

      •  
        identicon
        Colin, Mar 19th, 2013 @ 5:53am

        Re: Re: Then again

        ...and first chance you give them an opening to take a shot at you, what else can realistically expect?

        Um, maybe to act like adults and use some sort of discretion and judgement? Trust me, I wish I could send every asshole I came across to jail, but that's not how it works - for us normal folks, at least.

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          Robert Doyle (profile), Mar 19th, 2013 @ 9:05am

          Re: Re: Re: Then again

          And the argument can be made that he wasn't being sent to jail for being an asshole (ok, yes, he was... but I'm advocating for the devil so gimme a chance) but for sharing a bunch of information that wasn't his to share. The argument can be made that he could have gone about this a dozen different ways and chose the one that was the most "enjoyable" to him and not the most responsible. He could have shown discretion and judgement.

          Of course, that sentence should be shared between him and the board of AT&T for allowing crap like that to happen and then playing innocent victim when it does.

          I think the only real victims in all of this were the AT&T customers who had their private communication splashed around the internet.

           

          reply to this | link to this | view in chronology ]

      •  
        icon
        That Anonymous Coward (profile), Mar 19th, 2013 @ 5:56am

        Re: Re: Then again

        That is no way to talk about AT&T.

         

        reply to this | link to this | view in chronology ]

      •  
        icon
        Jesse (profile), Mar 19th, 2013 @ 10:03am

        Re: Re: Then again

        Well Aaron Swartz was widely loved and look where it got him. I get your point but there's more to it than that.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 19th, 2013 @ 4:01am

    yet another case of the 'whistle blower, the messenger' being hit so as to try to save face of the company it exposed. you can thank the Obama administration for lying about protecting whistle blowers and the various law enforcement agencies for having to also 'save face' when prosecuting. everyone has jumped on board now, so the 'customers' are the ones that always suffer.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Mar 19th, 2013 @ 4:37am

      Re:

      Thanks Obama

      Since this has obviously never happened anywhere else in the known universe, we can all share our total disgust with everything that the present administration has done and is going to do. Obviously the GOP is much better and this would not have happened if they were in control of everything.

      .... /s jic

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Colper, Mar 19th, 2013 @ 5:10am

        Re: Re:

        Now you just sound stupid...

         

        reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Mar 19th, 2013 @ 5:28am

        Re: Re:

        No one held up the GOP as being champions of whistle-blower protection to get their candidate elected president though. I mean it's one thing to be just as bad and quite another to promise making great strides to improve on a predecessor who was pretty bad and then somehow get even worse.

         

        reply to this | link to this | view in chronology ]

      •  
        icon
        RyanNerd (profile), Mar 19th, 2013 @ 5:35am

        Re: Re:

        While I am not defending the position that the GOP would have done any better, but the fact is that the Obama administration has made protecting whistleblowers a 'priority'.

        The administration SHOULD ABSOLUTELY be taken to task for failure to do what they said was a priority. Arguing that the GOP would not do any better is a pseudo strawman argument.

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Mar 19th, 2013 @ 5:57am

          Re: Re: Re:

          "The administration SHOULD ABSOLUTELY be taken to task for failure to do what they said was a priority. Arguing that the GOP would not do any better is a pseudo strawman argument."

          Check out who did the actual OKs on the prosecution.
          Odds are they're Republicans or Republican appointees.

           

          reply to this | link to this | view in chronology ]

          •  
            identicon
            JEDIDIAH, Mar 19th, 2013 @ 9:04am

            Your Jung is showing.

            It's the Obama Justice Department. He's the guy in charge. The buck stops with him.

            Attempting to blame it on anyone is is just dishonest.

            You've got an obvious cognitive dissonance brewing there. There's a truth to this situation you're not willing to face.

             

            reply to this | link to this | view in chronology ]

    •  
      identicon
      URSOSMAHT, Mar 19th, 2013 @ 12:07pm

      Re:

      "Anonymous Coward" is the perfect name for someone who visits tech boards to blame Obama for a courtroom decision (see: judicial branch, separation of powers).

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Pete Austin, Mar 19th, 2013 @ 4:17am

    The Guardian hacked me like this

    A few years ago, a freelancer working for The Guardian newspaper in the UK hacked my site like this.

    I'm not so stupid as to allocate sequential IDs, and we had alerts in place for suspicious activity, because a lot of people try to obtain information by modifying URLs. I think some of the major ESP hacks were done like this.

    But it turned out there was a pattern to our IDs that could be guessed and if you made a few calls per hour per IP then you could very slowly syphon out data. I think the journalist made about 5 calls and then stopped, which was just under the threshold for alerting.

    When this turned up in an online article that tried to embarass one of my clients (with no prior warning that I'm aware of, and I *would* have been told) we rapidly patched the issue by making the IDs much more sparse.

    We didn't dream of contacting the police, the Guardian didn't contact us, and basically I was happy that the security hole was fixed.

    BTW we also went through our logs and nobody else was trying the same attack. Some people trying high-volume attacks, of course, but they'd already been blocked automatically.

    I suspect my experience is much more typical of what usually happens.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Mar 19th, 2013 @ 4:39am

      Re: The Guardian hacked me like this

      Encryption is such a bad idea, no wonder it is not used.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      nasch (profile), Mar 19th, 2013 @ 9:31am

      Re: The Guardian hacked me like this

      we rapidly patched the issue by making the IDs much more sparse.

      We didn't dream of contacting the police, the Guardian didn't contact us, and basically I was happy that the security hole was fixed.


      No it wasn't. You just made it somewhat harder to guess the IDs. You're still relying on security by obscurity, you just increased the obscurity.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    Lonyo (profile), Mar 19th, 2013 @ 4:27am

    Bad idea

    Is this not incredibly dangerous and counterproductive?

    Basically, a guy finds a flaw in a website, and reveals it (after being slightly nefarious to show that it's an issue and get it publicity).

    For bringing it to the attention of the public, he gets punished.
    If he had kept it secret and just leaked the information without revealing himself, which he could have done, the security hole may not have been notified to AT&T.

    Basically it means that amateur security people will no longer find these holes in large corporations, meaning people who want to exploit them for personal gain will have a much easier time of keeping them secret or finding them first.
    Resulting in a LESS secure system, due to laws which are supposed to improve security.

    If your law against hacking results in hacking being driven more underground and people NOT revealing security flaws they find, you're doing it wrong.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Robert Doyle (profile), Mar 19th, 2013 @ 9:09am

      Re: Bad idea

      I am pretty sure someone here can find ready examples of when the "hackers" did all the right things (contacted the company, didn't share the details, tried to warn security makers) and were still punished for even being smart enough or unlucky enough to find the problem. And the companies probably didn't even take it seriously.

      Too often we punish the people who are trying to help us because of ego.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        That Anonymous Coward (profile), Mar 20th, 2013 @ 2:14am

        Re: Re: Bad idea

        You mean like the story somewhere on here where guy informs them of flaw and they then sent him the bill for fixing it, and IIRC that was after threatening to have him arrested.

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          Robert Doyle (profile), Mar 20th, 2013 @ 4:26am

          Re: Re: Re: Bad idea

          Yeah. But I'm too lazy to find and link it. It's worse then them just having their head in the sand, they have to take everyone else's head and stick it in there with them.

           

          reply to this | link to this | view in chronology ]

    •  
      icon
      nasch (profile), Mar 19th, 2013 @ 9:34am

      Re: Bad idea

      If your law against hacking results in hacking being driven more underground and people NOT revealing security flaws they find, you're doing it wrong.

      Yep. Since companies generally don't suffer any kind of punishment for security breaches, they don't have much incentive to fix or prevent them - unless they become very public knowledge. Therefore, they would rather punish and silence security people so they don't have to spend the money to fix their problems.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    mermaldad (profile), Mar 19th, 2013 @ 4:28am

    Et tu

    "His entire adult life has been dedicated to taking advantage of others, using his computer expertise to violate others' privacy, to embarrass others, to build his reputation on the backs of those less skilled than he,"

    Funny how this quote could, with minor grammatical modifications, be applied to the "victim", AT&T...

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 19th, 2013 @ 4:38am

    When you confront the state the statists fight back hard.
    Reminds me of a book about the government being wrong and you being right and how dangerous that is.
    Here is another case where jury nullification is required to be put in action.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      New Mexico Mark, Mar 19th, 2013 @ 5:26am

      Re:

      The problem is that now most courts circumvent jury nullification by asking a question along the lines of, "Are you willing to put aside your personal beliefs and opinions and make a decision based solely on the law and the judge's instructions?"

      Who gets screened out? The ignorant and the honest.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Dreddsnik, Mar 19th, 2013 @ 7:02am

        Re: Re:

        " The problem is that now most courts circumvent jury nullification by asking a question along the lines of, "Are you willing to put aside your personal beliefs and opinions and make a decision based solely on the law and the judge's instructions?"

        Yeah, I know. Whenever I was asked that question in selection I lied and said 'yes'. People are the easiest system to 'hack'.

         

        reply to this | link to this | view in chronology ]

      •  
        icon
        ltlw0lf (profile), Mar 19th, 2013 @ 7:35am

        Re: Re:

        Who gets screened out? The ignorant and the honest.

        I kinda wish they would have a three strikes and you're out program for jury selection nationwide. California has the one strike and your out, which the jury administrators hate but which works so well for me.

        Being an Engineer/Scientist, and a Libertarian, the only way I ever get selected on a jury is when the lawyers aren't paying attention (or are planning to plead guilty anyway.) Usually I am challenged, sometimes the first challenged in a jury pool. I always feel like the nerd on the playground...nobody wants me for their jury, but yet they keep calling me in (because I show up knowing that it is a privilege to do so.) In the 21 times I've been called in for jury duty, the three or four dozen cases, I've sat on two juries (both in which I played a limited role.) I don't know why the courts hate engineers and libertarians so much, but it seems like they think those people have already made up their minds, unlike school teachers and philosophers.

        It was nice when California chose the one day, one trial system. At least I don't have to keep coming back to be rejected...

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          Beta (profile), Mar 19th, 2013 @ 8:14am

          Re: Re: Re:

          I think the lawyers train for the typical jurors. They don't know how to pitch to a juror who actually understands probability or can evaluate situations dispassionately. You're a wild card.

          So why don't the lawyers who expect to lose want to throw in a wild card to improve their chances? I think it's because they don't understand probability and can't evaluate situations dispassionately.

           

          reply to this | link to this | view in chronology ]

          •  
            icon
            ltlw0lf (profile), Mar 19th, 2013 @ 10:37am

            Re: Re: Re: Re:

            I think the lawyers train for the typical jurors.

            Yeah, but it is always fun when it backfires on them. I know a couple school teachers that can never sit on another jury because they were part of a "deadlocked" jury. If there is one thing that gets you removed quicker than an Engineer or libertarian, it is someone who sat on a jury that deadlocked.

            So why don't the lawyers who expect to lose want to throw in a wild card to improve their chances? I think it's because they don't understand probability and can't evaluate situations dispassionately.

            I guess that makes me feel better...

             

            reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 19th, 2013 @ 4:42am

    Moral of the story - submit your findings anon.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Wolfy, Mar 19th, 2013 @ 4:51am

    That fellow should have just quietly contacted AT&T, given them a chance to quietly bribe him, and walked away with the cash. Isn't that what all the others do?

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Mar 19th, 2013 @ 5:35am

      Re:

      They usually call it a 'job offer' but yeah, pretty much.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        That Anonymous Coward (profile), Mar 19th, 2013 @ 5:58am

        Re: Re:

        they gave up on the whole job offer thing because these hackers come in and expect them to actually fix stuff. That costs money. Its easier to keep tossing them in jail until people stop looking for flaws.

         

        reply to this | link to this | view in chronology ]

      •  
        icon
        ltlw0lf (profile), Mar 19th, 2013 @ 7:44am

        Re: Re:

        They usually call it a 'job offer' but yeah, pretty much.

        As someone who has exposed stuff in the past, be wary of the job offer or the bribe. If you aren't a member of the establishment, taking a job offer or a bribe may be seen as extortion.

        I had one company that wanted to pay me off to make me go away and stop bothering them. I had no problem "working with them" but my personal beliefs and the attitudes of my then current employer steered me away from taking any money from them. After working with them for a while, I got the impression from one of their engineers that the company was kinda hoping that I would have taken the money so that they could have had me prosecuted/fired from my job.

         

        reply to this | link to this | view in chronology ]

    •  
      identicon
      vastrightwing, Mar 19th, 2013 @ 8:38am

      No good deed goes unpunished

      I've been in this situation. My solution was to forget about it. I didn't want to get involved. As I say, no good deed goes unpunished.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      nope, Mar 19th, 2013 @ 2:47pm

      Re: Wolfie

      That's not how it works. In most cases the large company won't fix the exploit and they certainly won't pay you. If he had done this he would have received a threatening letter from AT&T's legal department and the exploit would still exist.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    The Infamous Joe (profile), Mar 19th, 2013 @ 5:12am

    Meanwhile...

    Two kids found a security flaw in one of those electronic billboards... and the company, DPC, gave them ipads and invited them to come talk about security.

    ...in Serbia.

    What did the DPC have to say about the hacking?
    “This has never happened before, but we appreciate the fact that these guys have, in a charming way, pointed us to this huge problem. Now it is clearer than ever that we need to protect ourselves better,” DPC’s manager Slobodan Petrovic commented.
    and
    According to DPC’s [the billboard company] manager the two students are lucky to be in Serbia, as things may have ended differently in other countries. “In more developed countries, these actions are unthinkable because of severe sanctions,” he said.

    When did things get so out of hand, here in America?

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Mar 19th, 2013 @ 10:53am

      Re: Meanwhile...

      "When did things get so out of hand, here in America?"

      It's the slanted opinion of a "hacker" and "cybersecurity". A "hacker" must have done it. "Hackers" are evil. We don't want "hackers" in our system. Throw the book at this "hacker" rather than fix any security issues. I mean it's worked until now right? So only a "hacker" can cause problems.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 19th, 2013 @ 5:14am

    with you stating, Mike, that there was nothing illegal in what the guy did, it hasn't helped him one iota. the judge, like those in the Rasset case is interested in only two things, making sure someone goes to jail for having the audacity to expose a company failure and making sure that those bringing the charges are exonerated from blame.

    where they need to be careful is that when someone finds something that could prevent a national disaster keeps quiet for fear of those that should have found the information being so pissed that they charge the finder and jail him rather than admit to their own failings, just to save face!

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      PRMan, Mar 19th, 2013 @ 5:33am

      Re:

      Sorry, but I'm not seeing how this is anywhere the same as the Rasset case. She did the digital equivalent of shoplifting and making a couple copies for her friends, which, while wrong, should not be fined $222,000. weev did nothing illegal, and it's a massive stretch to apply the CFAA to this case.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        sniperdoc, Mar 19th, 2013 @ 6:04am

        Re: Re: Uuuuhh...

        First link on Google... how does this not apply????

        Computer Fraud and Abuse Act - Wikipedia, the free encyclopedia
        en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_ActShareThe Computer Fraud and Abuse Act of 1984 (CFAA) was intended to reduce cracking of computer systems and to address federal computer-related offenses.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 19th, 2013 @ 5:24am

    thing is he did not just "expose" a flaw, you found it, exploited it, and then went public with it.

    he did not get on the phone to AT&T's security department and disclose it. But exploited it, got a bunch of information from that exploit and that is the main illegal thing he did. Try to down play that if you like, but facts are facts.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      G Thompson (profile), Mar 19th, 2013 @ 6:24am

      Re:

      Why should he, basically under every other countries laws on the planet he has NO DUTY whatsoever to explain to the that they have a security flaw before posting about it.

      It might be a better thing to call them and explain the situation but there is no legal reason to do it.

      That is unless you reside within America and have the audacity to point out the Emperor and his minions are wearing no clothes and shout it out in public.

      As for the character assassination that the prosecutor brought to bear in court, I'm amazed that the US legal system allows character in ANY criminal trial because no where else does since it bears no relevance whatsoever to the instance of the alleged action(s) in the matter at hand. And no not even to mens rae.

      Though I'm not surprised at the sentencing, it was about 'cyber' attacking one of the USA's (all the way) darlings of industry who could in no way shape nor form be negligent ever in their upholding of security and their customer information. Well the rest of the world knows they are negligent, but consumer privacy laws only ever apply when it happens to a company it seems in the USA.

      I'm amazed he didn't get the chair

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Keroberos (profile), Mar 19th, 2013 @ 7:34am

      Re:

      Hmm...I think you haven't hung around in the white hat hacking community much. This is a constant problem they run into with any major corporation--you can't just "get on the phone to AT&T's security department and disclose it"--the entire customer facing parts of their business are designed to not let you do this. And even if you did by some miracle get hold of someone with the authority to do something about it, or to forward the info to someone who does--what do you think the chances are that they will? The only way to get them to do anything about it is to expose it as publicly as possible, so it makes it into the mainstream news--then maybe something will get done to fix the problem--and the best way to do this is to actually use the exploit to prove it exists.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      JoeyPhats, Mar 19th, 2013 @ 12:29pm

      Re:

      Agreed, that the problem. Its the not the actions themselves its the way these "security researchers" handle it.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 19th, 2013 @ 5:26am

    " harming AT&T's reputation and promoting themselves as security experts."

    that is also a criminal act, to deliberately harm a company is called industrial espionage or sabotage, you don't have to be connected to a competing company to be guilty of seeking to wilfully damage a company.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      RyanNerd (profile), Mar 19th, 2013 @ 6:22am

      Re:

      Exposing AT&T's security flaws (which has the side effect of hurting their reputation) is not a 'criminal act'. The facts are that AT&T should have been more careful and vigilant with their security; especially with the 'we take your privacy seriously' letters they keep sending me.

      Jailing someone for discovering a security hole and making it public will have obvious chilling effects. This is plainly an overreaching application of the CFAA.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        G Thompson (profile), Mar 19th, 2013 @ 6:32am

        Re: Re:

        Absolutely, it's why there are now rumblings in the field that basically anyone who finds something untoward, and is American, should now tell their peers internationally and let them publish.

        I for one will be happy to help out in this respect.

        US companies are not going to be happy if that occurs, and neither will the US Government, Also less people will feel that there is any ethical obligation to telling the company first and instead just publish anonymously (or via proxy as above) and do more harm to the company. Which sometimes isn't a bad thing

         

        reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Mar 19th, 2013 @ 6:54am

        Re: Re:

        There is a difference between exposing and exploiting. Exposing a security flaw in my home means telling me it's possible to gain entry through a dog door or unlocked second story window. Exploiting is gaining entry to my home and going into my file cabinet and copying my files.

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          ltlw0lf (profile), Mar 19th, 2013 @ 7:57am

          Re: Re: Re:

          There is a difference between exposing and exploiting. Exposing a security flaw in my home means telling me it's possible to gain entry through a dog door or unlocked second story window. Exploiting is gaining entry to my home and going into my file cabinet and copying my files.

          Yes, but the problem is, unless you exploit the flaw, the company will just say it is a theoretical flaw that has no practical implications and thus is not worth their time and effort to fix. Been there, done that.

          Not that this gentleman did the right thing, but in some cases, the only way to show that the flaw is real and is something they need to fix is to show them how easy it is to exploit and what the damages are.

           

          reply to this | link to this | view in chronology ]

          •  
            identicon
            Anonymous Coward, Mar 19th, 2013 @ 8:32am

            Re: Re: Re: Re:

            So what? If I ignore my neighbor's warning and a burglar exploits the weakness whose fault is that?

             

            reply to this | link to this | view in chronology ]

            •  
              icon
              nasch (profile), Mar 19th, 2013 @ 10:08am

              Re: Re: Re: Re: Re:

              If I ignore my neighbor's warning and a burglar exploits the weakness whose fault is that?

              Your analogy can only hold so far, because while your home's security flaws affect only you and your family, while AT&T's affect millions of people.

               

              reply to this | link to this | view in chronology ]

              •  
                icon
                ltlw0lf (profile), Mar 19th, 2013 @ 10:42am

                Re: Re: Re: Re: Re: Re:

                Your analogy can only hold so far, because while your home's security flaws affect only you and your family, while AT&T's affect millions of people.

                Yeah, what he said.

                Though I'd note that you have absolutely no requirement, contractually or legally, to not ignore your neighbors warning. If the alarm company or the police ignore the warning, than that is their problem. However, just like everything else including being a hero or saving someone's life, if you don't want to get involved there is nothing legally or contractually required for you to get involved. Most police departments *don't* want you to get involved, unless it is to call them and let them know that the alarm is going off.

                However, if you were to point out a weakness in the alarm system installed in everyone's homes, I'd prefer to know it so I can make the necessary changes instead of being blissfully unaware of the problem and unable to fix it.

                 

                reply to this | link to this | view in chronology ]

                •  
                  identicon
                  Anonymous Coward, Mar 19th, 2013 @ 10:57am

                  Re: Re: Re: Re: Re: Re: Re:

                  Maybe the best option is to point out the problem and leave it at that. Entering and copying files was totally unnecessary and what landed this douche in prison.

                   

                  reply to this | link to this | view in chronology ]

                  •  
                    icon
                    ltlw0lf (profile), Mar 19th, 2013 @ 12:00pm

                    Re: Re: Re: Re: Re: Re: Re: Re:

                    Maybe the best option is to point out the problem and leave it at that.

                    Normally, I'd agree with you.

                    But my statement remains, that in some cases pointing out the problem isn't enough. People pointed out that the world trade center was vulnerable to airplane strikes before 9/11. People also pointed out that O-Rings were failing on the Shuttle Rocket Boosters before the Challenger incident, or pointing out that the foam used on the shuttle was tearing tiles off the shuttle before the Columbia incident. Unfortunately, in some cases, the only way to get someone to do something is when tragedy strikes. From personal experience, there were a number of times that the companies I exposed problems for ignored me until I pointed it out, along with exploit code (even after I responsibly disclosed the issue to them ahead of time.)

                    Entering and copying files was totally unnecessary and what landed this douche in prison.

                    And I totally agree, though the jury is still out as to whether this, or something else, landed this douche in prison.

                     

                    reply to this | link to this | view in chronology ]

              •  
                identicon
                Anonymous Coward, Mar 19th, 2013 @ 10:53am

                Re: Re: Re: Re: Re: Re:

                OK, Snatch. Let's make it a college dorm or the Empire State Building. It is the same theory. Size does not confer the right to enter the premises of another and to copy files.

                 

                reply to this | link to this | view in chronology ]

                •  
                  identicon
                  Anonymous Coward, Mar 19th, 2013 @ 10:54am

                  Re: Re: Re: Re: Re: Re: Re:

                  *not an insult, auto-correct malfunction*

                   

                  reply to this | link to this | view in chronology ]

                  •  
                    icon
                    nasch (profile), Mar 19th, 2013 @ 1:05pm

                    Re: Re: Re: Re: Re: Re: Re: Re:

                    *not an insult, auto-correct malfunction*

                    Thanks, I appreciate the clarification.

                    Let's make it a college dorm or the Empire State Building. It is the same theory. Size does not confer the right to enter the premises of another and to copy files.

                    Well, then the analogy starts failing because he didn't actually break in, he just found some web pages that someone was hoping nobody would find. But even if he had circumvented their security measures to get that information, it still wouldn't be a perfect analogy (there is no such thing), just in case you want to go there. :-) Any time someone says "this wouldn't be OK if it was a physical thing so it's not OK on a computer either" there is a good chance that's a flawed argument, because physical and digital are different.

                     

                    reply to this | link to this | view in chronology ]

        •  
          icon
          Keroberos (profile), Mar 19th, 2013 @ 8:06am

          Re: Re: Re:

          And many security companies do exactly that--break in and steal stuff (exploiting). You can tell some people and corporations that their security is crap (and explain why it is), but until you show them how crappy it is by breaking in and stealing stuff (exploiting), many won't do a thing to fix it--the head in the sand approach to security (most famously demonstrated by Sony with their crappy PSN security that they had been told about by the security people in their own company and did nothing to fix until they got hacked).

           

          reply to this | link to this | view in chronology ]

    •  
      icon
      G Thompson (profile), Mar 19th, 2013 @ 6:28am

      Re:

      Please cite criminal statutes that show this.... oh you can't.. That's because there are none, the only thing that might come close is Tortuous Interference and that is tort law...ie: NOT criminal

      As for Industrial espionage and/or sabotage, you really need to read more to understand how totally ignorant and stupid you appear.

      Oh and in the USA 'security experts' are everywhere, there are no standardised qualifications and professionally and personally I would state he has more ability to call himself a security person than most of the so called network/database admins at AT&T do.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Mar 19th, 2013 @ 7:19am

      Re:

      So every time I write a scathing review of a terrible product, I'm committing a crime? I don't buy that. Customers have a right to attack the image of a company that has wronged them, and if the allegations are truthful then they can't be held as libel.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Diciple7M, Mar 19th, 2013 @ 12:54pm

      Re:

      Are you being serious? Have you ever said anything mean about a company? Something like "apple is so horrible they do -this-" or "windows sucks it only does -this". Every day we say and do things that hurt companies and other people. I do believe that the first amendment gives us the right to say what we want and when we want. This idea that we shouldn't say something as to not hurt a companies "image and reputation" is crap.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        tomxp411 (profile), Mar 19th, 2013 @ 3:13pm

        Re: Re:

        Right, but what about gathering credit card numbers and email addresses for all of that company's customers, then spreading that out for all to see?

        THAT is what this guy is being punished for, not just for finding the security hole.

        I hate that every article about this guy makes it out like he was an innocent "security researcher," when he was anything but. He was looking to do damage, and that's what he did.

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          nasch (profile), Mar 19th, 2013 @ 3:38pm

          Re: Re: Re:

          Right, but what about gathering credit card numbers and email addresses for all of that company's customers, then spreading that out for all to see?

          "The specific information exposed in the breach included subscribers' email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T's network, known as the ICC-ID. ICC-ID stands for integrated circuit card identifier and is used to identify the SIM cards that associate a mobile device with a particular subscriber."

          Much more tame than spreading credit card numbers. Not that I agree with his technique, but three and a half years for publicizing some email addresses seems awfully severe.

           

          reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 19th, 2013 @ 5:38am

    "atypical recalcitrance by the defendant to conform to the laws regarding unauthorized computer access"

    Translation: Normally our intimidation proves effective before reaching this point and the individual being pilloried has long since given up all signs of struggling against the fate we determined for them.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 19th, 2013 @ 5:40am

    Okay then, I'll keep all my zero days to myself.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 19th, 2013 @ 5:43am

    I watched the 60 Minutes interview with the founder of Twitter, Jack Dorsey. He found a security hole in the NYC train system software. He emailed security with a description of the problem and how to fix it. He also mentioned he wrote scheduling software. Two weeks later he had a job.

    That's how you do it. You don't enter through an unlocked door, take whatever you want and crow to the media in an attempt to aggrandize yourself or embarrass a company. That is exploitation; pure and simple. You do not have the right to enter a poorly secured computer network, any more than you have the right to enter my house through my oversized dog door. And once you enter my house, you have no right to go into my file cabinet and start copying my files.

    The fact that this guy is also an asshole is on him. Judges are free to sentence within the guidelines. Sounds like the court got this one right.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      sniperdoc, Mar 19th, 2013 @ 5:57am

      Re: Dead on

      You pretty much hit the nail on the head. Seems like so many people out there think what he did was correct. What a skewed sense of entitlement people have nowadays. Rather sad...

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      ChrisB (profile), Mar 19th, 2013 @ 7:17am

      Re:

      The house analogy is stupid.

      A better analogy is a garage sale where one table is marked "free". If the seller accidently puts items on that table and someone takes them, whose fault is it? Did that person "steal" or "trespass"? Of course not.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      relyts (profile), Mar 19th, 2013 @ 1:53pm

      Re:

      Your argument contains a major flaw. How do you think he found that security hole in the NYC train system software and was able to describe how to fix it? You would have to intentionally breach their system and search for information like that. Apparently, all this person used to access information was their own ID's. This is AT&T's fault, and anyone could have been exploiting this. Andrew just happened to be the one that made the problem known. Let me ask you something. If I open the door to a public restroom and there is a naked women there, am I going to be arrested for peeping? No, the door was unlocked and therefore the fault is on her. Nothing but a PR stunt to protect their image.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Mar 19th, 2013 @ 6:40pm

        Re: Re:

        Perhaps, but the point I'm making is there's a difference between discovering a security flaw and reporting it to those responsible for security and taking files and other information and distributing it, then going to the press.

         

        reply to this | link to this | view in chronology ]

    •  
      icon
      totalz (profile), Apr 10th, 2013 @ 7:29pm

      Re: Anonymous Coward, Mar 19th, 2013 @ 5:43am

      Nice try, idiot!

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    sniperdoc, Mar 19th, 2013 @ 5:55am

    One major problem

    He was a dumbass for going to the public first. That is his own fault. Bravo for finding the flaw, but dumbass followup method.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Reality Check (profile), Mar 19th, 2013 @ 6:04am

    Sounds familiar

    Her entire adult life has been dedicated to taking advantage of others, using her legal expertise to violate others' privacy, to embarrass others, to build her reputation on the backs of those less skilled than her.

    vs

    His entire adult life has been dedicated to taking advantage of others, using his computer expertise to violate others' privacy, to embarrass others, to build his reputation on the backs of those less skilled than he

    If you are a jerk with legal expertise you get to be a US Attorney, if you are a jerk with computer expertise, the other jerks will take you down.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 19th, 2013 @ 6:42am

    The chat logs show other intent

    If it was innocent exploration, I could see this being a poor application of justice. Unfortunately for weev, the chat logs contained in Wired's writeup indicate it wasn't for security purposes, it was for 'lols' and then it was discussed that disclosure of this information could/would manipulate the stock price of AT&T.

    Moral: don't go screwing around with websites, especially when they a) have something to do with America's favorite white plastic vendor and b) your results include government officials. Another good practice would be to ensure that one doesn't be a douche to everyone they come across. People love watching douches get their comeuppance. I remind you all of Prenda.

    weev is no Aaron Swartz.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Mar 19th, 2013 @ 7:01am

      Re: The chat logs show other intent

      If it was innocent exploration, I could see this being a poor application of justice. Unfortunately for weev, the chat logs contained in Wired's writeup indicate it wasn't for security purposes, it was for 'lols' and then it was discussed that disclosure of this information could/would manipulate the stock price of AT&T.

      Moral: don't go screwing around with websites, especially when they a) have something to do with America's favorite white plastic vendor and b) your results include government officials. Another good practice would be to ensure that one doesn't be a douche to everyone they come across. People love watching douches get their comeuppance. I remind you all of Prenda.

      weev is no Aaron Swartz.


      But that won't stop Masnick from depicting the guy as an honorable, noble victim of a cruel, vindictive criminal justice system.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Mar 19th, 2013 @ 8:03am

        Re: Re: The chat logs show other intent

        Not sure if serious.

        But Mike seems more concerned with the chilling effects related to jailing someone for finding a security flaw, rather than defending Weev.

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Mar 19th, 2013 @ 9:04am

          Re: Re: Re: The chat logs show other intent

          Weev isn't a security researcher, he's an attention seeker. A security researcher typically notifies the vendor and gives them time to fix the flaw. After the fix has been released and confirmed, full disclosure is acceptable. If the vendor fails to respond in an appropriate manner or timeframe, notifying the public is then a justifiable recourse. This isn't universally accepted, by any means, but this process makes sense to me if improving security is the goal and not a byproduct. I've seen this work in many cases, and those researchers who follow the "responsible disclosure" method are still researching and not paying lawyers to file appeals.

          Specifically, this case wasn't about finding the flaw. It was what he did after discovering the problem and what he did with the information afterwards. Finding the flaw and sending security(at)att.com and/or webmaster(at)att.com an email would not have landed him in court. Finding the flaw and going straight to Gawker with the entire scraped data-set did.

          Once the flaw was found, one or two records would have been sufficient for a Proof of Concept to be handed to the appropriate parties. Taking every single entry is indefensible and not needed to get the issue resolved.

           

          reply to this | link to this | view in chronology ]

          •  
            identicon
            JEDIDIAH, Mar 19th, 2013 @ 9:16am

            The RICO principle.

            > Weev isn't a security researcher, he's an attention seeker

            It doesn't matter.

            This is how bad precedents start. You start with a victim that's easy to demonize. You use that to help generate public outrage or at least apathy. You use that to distract from how you are abusing the Law.

            This "hack" was about as sophisticated as manually jumping to a particular TechDirt article. Making something like that a felony is far more of a problem than tolerating genuine evil (as opposed to a mere jerk).

             

            reply to this | link to this | view in chronology ]

            •  
              identicon
              Anonymous Coward, Mar 19th, 2013 @ 9:25am

              Re: The RICO principle.

              The technical difficulty of the intrusion isn't material. The actions of the convicted are. There was clearly malice involved in this act.

              As I said, there are plenty of security professionals and amateurs finding and reporting flaws every day. Very few - if any, and definitely none that I'm aware of, are prosecuted if they behave as described in my previous post.

               

              reply to this | link to this | view in chronology ]

              •  
                icon
                nasch (profile), Mar 19th, 2013 @ 10:51am

                Re: Re: The RICO principle.

                The technical difficulty of the intrusion isn't material. The actions of the convicted are.

                I see what you're saying, but in this case in a very real way he was doing nothing but disclosing publicly available information. He didn't have to bypass any security measures at all to get this data. If he got to the pages he found by following a link on AT&T's web site, anybody would agree that would be purely on AT&T's shoulders. Why is it a felony when he does it by typing in the URL instead?

                There was clearly malice involved in this act.

                Even if true, just because something was malicious doesn't make it illegal. At least I hope the CFAA isn't written THAT badly.

                 

                reply to this | link to this | view in chronology ]

                •  
                  identicon
                  Anonymous Coward, Mar 19th, 2013 @ 11:53am

                  Re: Re: Re: The RICO principle.

                  It wasn't a published URL, they knew they were obtaining subscriber data that wasn't theirs, they had no misunderstanding that what they were doing was wrong, and the point wasn't to help AT&T secure their site. That is unauthorized access regardless of how stupidly simple it was to get there.

                   

                  reply to this | link to this | view in chronology ]

                  •  
                    icon
                    nasch (profile), Mar 19th, 2013 @ 1:10pm

                    Re: Re: Re: Re: The RICO principle.

                    That is unauthorized access regardless of how stupidly simple it was to get there.

                    Obviously the court agreed with you. To me, the fact that the information was on a publicly available web page with no security measures protecting it means you could at least make an argument that access was implicitly authorized. Kind of like looking into someone's back yard from the sidewalk when they haven't put up a fence. They haven't invited you to look, but they haven't done anything to indicate they don't want you to, either. AT&T didn't take any steps to ensure the public didn't look at this data, they just didn't take any pains to make sure it was obviously available. It's just a little scary to me to put someone in jail for 41 months for this. If anyone should be in trouble, it's AT&T, in my opinion.

                     

                    reply to this | link to this | view in chronology ]

  •  
    identicon
    mh, Mar 19th, 2013 @ 7:08am

    Enormously stupid

    This is beyond stupid and scary. If anything, a class action case can be argued against AT&T for not taking even basic measures to ensure the security of their clients, which would violate whatever privacy policy they have in place.

    It would actually be interesting to read the privacy policy and see what "reasonable security measures" AT&T agrees to and is liable for. I am almost certain passing a password in the URL would amount to gross neglect on account of the service provider, and personal identification should be treated no differently.

    A long time ago, on an IRC channel, a Yahoo server was hacked, and the details were shared amongst all people on the channel. Some of them immediately dug into the MySQL records, some went after log files... I looked up /etc/passwd, got a phone number from there and dialed it. It was a Sunday afternoon, and I got some Yahoo employee. I shared all the details of the hack, my information in case he wants to talk, and hung up. The system was taken offline, restored, and I got an email from the guy saying "Thank you".

    What the hell has happened between now and then?

    p.s: I am not a jerk... but that certainly can't have any bearing on what transpired, right?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 19th, 2013 @ 7:24am

    Poor weev. Well, good thing weev collected information on a bunch of famous folks who had iPads. Now he can just sell all that info, make a couple million and pay off that fine in right away. At least now he has a retirement option.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 19th, 2013 @ 7:31am

    You know when I was a kid I thought the law was supposed to uphold the morals of society. Protect the good. Punish the evil. As an adult it never ceases to be disheartening to see how often it serves to punish the intelligent or good natured on behalf of those who are simply powerful and don't want their status quo interfered with.

    If I ever have kids, I may have a tough time teaching them to respect the law for any purpose other than self-preservation. It's a shame.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      tomxp411 (profile), Mar 19th, 2013 @ 10:29am

      Re:

      punish the intelligent or good natured


      Do you honestly think that applies here? This guy was looking to harm AT&T, not trying to be a white hat.

      In the larger sense, yes - I agree. Whistle blowers often get the shaft, and the legal system does often protect the rich far more than the innocent.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    tomxp411 (profile), Mar 19th, 2013 @ 8:40am

    Remember, it's a JURY trial

    This is one example where a jury of one's PEERS could be done better.

    I've been on a few jury panels (never actually been a juror), and it seems that the people picked are the ones who know little about a case. Anyone with computer knowledge will be excused by the prosecutor. Anyone with law enforcement ties is excused by the defense.

    The goal seems to be to get a group of 12 people who know absolutely nothing about the subject matter of the case.

    It's not really a wonder that people are convicted of CF&A violations when they're often just exploring potential bugs out of a sense of curiosity or even being security-minded.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Ken O., Mar 19th, 2013 @ 8:44am

    Oh please....

    He got popped because he did the WRONG thing, than the fact that he 'exposed a security risk'. The writer states; "To call attention to this, weev collected information on a bunch of famous folks who had iPads and alerted the press. This is what security folks do all the time." and is incorrect. What REAL security people do is notify the company that they've located a hole and offer to either give them the info about it, or offer to sell them the info about it. They don't gather info and "alert the press".

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 19th, 2013 @ 8:44am

    It's sad that they're throwing him under the bus just because he's a dick... "which is perfectly legal"

    I know of a few small security holes for some file lockers and one very evil one which I'd never even report just because of fear.
    I also know of a small one on Hulu having to do with their AD services which I told them and nobody else but needless to say it's 3 years later and it's still not fixed.


    I would not even consider myself a hacker I'm just a curious mother fucker and sometimes I see something that just looks like it could be abused. I don't look to embarrass a company though, shit these days I would not even tell them when the thanks could possibly be prison.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anon, Mar 19th, 2013 @ 9:02am

    Do you have an editor? Have you studied any sort of writing at all? You have no idea when and when not to use commas - your writing style is horrible.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 19th, 2013 @ 11:34am

    Violating Others Privacy IS A CRIME

    While the "taking advantage of unskilled others" is vague, repeatedly violating someone's privacy is in fact illegal in many instances. I don't think this guy should be in jail for this, but maybe he had it coming.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    JoeyPhats, Mar 19th, 2013 @ 12:22pm

    Come on people

    I think the sentence is a bit over bearing. But he is a jerk. If you find a security hole you don't go rooting around and collecting information on famous folks then leak it to the press! You don't leak it to the press, if you're a real security expert you contact the company and allow them time to fix it. If they don't or show they aren't trying then sure, leak away. That is the problem with most of these cases, its the not the actions that are getting punished is the way these "grey/black" hat hackers handle it. They do it in the worst way possible.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 19th, 2013 @ 12:25pm

    "His entire adult life has been dedicated to taking advantage of others, using his computer expertise to violate others' privacy, to embarrass others, to build his reputation on the backs of those less skilled than he,"

    Or as I like to call it, standard operating procedure.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    JimmyTorino, Mar 19th, 2013 @ 12:44pm

    Expose A Blatant Security Hole

    Now wait a minute. From reading the title of this post one would think he called and informed AT&T about a security hole he discovered and then was arrested for it. But in reality he went beyond just the discovery, he intruded on peoples private data and then shared it with others. I am sure THAT is why he was put in jail. If you discover something like a security breach in a bank for instance (real world bank, not internet) in which you have the ability to walk up to the back from the outside and move a loose brick on the building allowing you access to customers personal data, and then you take that data and disperse it to other people, would that be ok? Wouldn't you just go into the bank and say"hey, there is a loose brick on your outside wall"......think about it.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 19th, 2013 @ 1:52pm

    Unfucking believable

    While their busy imprisoning those who find security flaws, and inform the people with that security flaw, for the purpose of them patching it, so any people/customers involved are that little bit secure...........the others looking for security flaws, to benfit through less then moral reasons, can keep using the same flaw, for god know how long, because the person who may have dicovered it, is in prison.

    Anyone involved in pushing this through putting this guy away, should be held accountable for any future hacks.........oh im sorry, did you just say "but they've got nothing to do with it"

    A) one, they are, if their actions prevented a patch
    B) THIS guy, is'nt commiting a serious crime, more of a public service

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      tomxp411 (profile), Mar 19th, 2013 @ 3:15pm

      Re:

      This article didn't bother pointing out that he gathered email addresses and (if I understand correctly) credit card numbers of all of the AT&T iPad customers.

      Then distributed that list.

      This was NOT an innocent security researcher.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Mar 19th, 2013 @ 6:34pm

        Re: Re:

        Funny, I'd have thought that someone who "does journalism" would have felt a moral obligation to disclose serious criminal conduct when decrying a 41 month sentence by claiming all "he did was expose a pretty blatant security hole in AT&T's servers". Perhaps Masnick felt these facts might undermine his claim that the law was unduly harsh and crime was minor.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Sambo, Mar 19th, 2013 @ 2:12pm

    Quick, get him on the ticket

    "His entire adult life has been dedicated to taking advantage of others, using his '______ _____' to violate other's privacy, to embarrass others, to build his reputation on the backs of those less skilled than he,"

    Sounds like every politician on earth!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    peter baker, Mar 20th, 2013 @ 7:07am

    makes you wonder

    If he had used the informtion for fraud, would he have got a smaller sentence?

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    uRspqF7L (profile), Mar 20th, 2013 @ 6:51pm

    insanity

    the insanity of this story and so many of the responses to it on this site is a demonstration of one reason the prosecutors and judge took this case so far.

    1) so few of the commentators care at all about the actual facts of the case--they have already decided (wrongly) that there was no evidence of weev's own malicious commercial self-interest. But there was substantial evidence presented at trial that he was not trying to "expose a security hole." So any story that bends the facts this way is starting from a wrong premise. The government convincingly (to the judge and jury) showed that he was trying to profit from his access to this information;
    2) the very premise of the story--that what weev did was "expose a blatant security hole"--makes no sense on the surface. 10 or 100 email addresses would have sufficed to make that point and would have been very unlikely to produce this prosecution. 120,000 email addresses is prima facie evidence that he intended to do something far beyond "exposing a security hole";
    3) from reading biographical stories about weev, it seems entirely likely that he had done this sort of thing before to his own significant profit--he had a lot of money of unclear origin;
    4) to the commentator who compared this to looking into your neighbor's unfenced yard--that is both a frightening misunderstanding of privacy, and wrong, in that if I write down your account number on a piece of mail that I can see from the street, and then give that information to somebody else or have the intent--even the INTENT--to use it to my own profit, the fact that it was "visible" is irrelevant. It is stealing something to which I have no right--and it's stealing EVEN THOUGH I may have left the original document where it was.

    Anyone who thinks weev is a freedom fighter is reading the wrong dictionary and the wrong law code, and that so many people do (on SUCH flimsy evidence and poor reading of the actual news stories) SHOULD concern law enforcement--and those of you who portray him as a freedom fighter are ensuring that crackdown is even harsher. This sight is amazingly blinkered, but this story is exceptional even by those standards. I know it's cool to love the outlaw, whatevs, but if you love the outlaw because they break the law, you don't then get to ask for the system to go easy on them too.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      nasch (profile), Mar 21st, 2013 @ 6:31am

      Re: insanity

      to the commentator who compared this to looking into your neighbor's unfenced yard--that is both a frightening misunderstanding of privacy, and wrong, in that if I write down your account number on a piece of mail that I can see from the street, and then give that information to somebody else or have the intent--even the INTENT--to use it to my own profit, the fact that it was "visible" is irrelevant. It is stealing something to which I have no right--and it's stealing EVEN THOUGH I may have left the original document where it was.

      What law exactly would that violate? And who do you think the victim should be angry with, the perpetrator, or the company that puts sensitive information on the outside of his mail, or the post office for leaving his mail out where anyone can see it, or all of them? I'm not claiming weev is innocent of wrongdoing, I'm questioning whether a 41 month prison sentence is appropriate. If he had done the exact same thing with information he found in a trash can, would he have gotten the same sentence? Or is this different because it was "on the internet"?

       

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This