from the bad-news-all-around dept
We’ve covered the lawsuit against Andrew “weev” Auernheimer, in which the feds pushed criminal charges against him under the Computer Fraud and Abuse Act (CFAA) for discovering a massive (and ridiculous) security hole in the way AT&T set up the iPad. Basically, they saw that AT&T handed out iPad IDs in numerical order, and then left the website open, allowing him (and a partner) to just increment by number and get back email addresses on everyone who owned an iPad. The feds seemed to argue that this was some nefarious evil hack, and Auernheimer was sentenced to 41 months in prison and has to pay $73,000 to AT&T (roughly the cost it took AT&T to inform its customers of its own bone-headed lack of security). So much about this case is ridiculous, and it’s complicated by the fact that nearly everyone agrees that weev is a world-class jerk. But, you need to separate that out from the details of what he did here, to note that it was nothing particularly special, and it involved the sort of thing that security researcers do all the time, and which all sorts of non-security researchers do quite often.
Auernheimer is appealing, and the DOJ filed its brief a week and a half ago. It took me until this weekend to finally have the time to dig into the full 133 pages, to realize just how ridiculous the whole thing is. Tim Lee, over at The Switch has a great explanation of what’s going on here aimed at less technologically savvy folks. Meanwhile, Robert Graham has an equally fantastic writeup for the slightly more technically savvy world over at Errata Security.
We’ll dig into some of the details in a bit, but as Graham points out, the feds somewhat obnoxiously nearly doubled the word limit imposed by the Third Circuit (the brief is 26,495, but the court only allows 14,000 as an upper limit). This is ridiculously unfair, because it lets the DOJ go on, at length, making claims that are almost wholly untrue, and at times ridiculous, while weev’s lawyers were hamstrung in limiting what they could put in their own brief. Welcome to the criminal justice system where the DOJ still seems to think it gets to play by its own rules.
And, really, that’s the most ridiculous part of all of this, because while the DOJ wants to play by its own rules, nearly its entire argument against Auernheimer is that he “didn’t play by the rules” where “the rules” it’s talking about aren’t actual rules at all, but rather what the DOJ makes up in the minds of some clearly technologically-illiterate lawyers.
The short version is that the government’s case is quite scary in the way it portrays weev’s actions — such that it could easily criminalize all sorts of things. For example, it goes on about changing the user-agent, as if this is some awful thing and a form of “lying.”
Spitler changed the user agent in his Account Slurper program in order to trick the servers into thinking that he was using an iPad…. He “lied to the AT&T servers” in order to get the information…. Spitler gathered this information without asking for permission from AT&T or from any of the iPad users that he was impersonating…. AT&T did not design its system to allow these email addresses to be made public.
There are so many problems with this. First, there are no hard and fast rules about user-agents that suggest this sort of thing is breaking the law. As both Graham and Lee point out, if “faking” the user-agent is a form of “lying,” nearly every browser does that and has for years. That’s because years ago, Microsoft added “Mozilla” to its user-agent since many websites optimized for different browsers, and Microsoft wanted servers to believe it was competitor Netscape, which many sites had designed to be nicer. So pretty much all browsers “lie.” Hell, for many years I’ve personally used “user agent switcher,” a plugin for browsers, to change my browser user agent at times, mostly for simple testing on certain websites, and sometimes for reporting purposes (to see how different sites provide different info to different browsers). I never thought I was “lying” or coming close to committing a crime. It’s just a bit of info a browser, or other piece of software, sends to a server to get information returned.
Similarly, the idea that AT&T “did not design its system to allow these email addresses to be made public” is simply, empirically, false. If they hadn’t designed it that way, then weev and his partner wouldn’t have been able to access it the way they did. The problem was clearly AT&T totally failed to lock down this system. Furthermore, they didn’t need to “ask permission” because they sent a request to the server and the server answered. If they didn’t have permission, the server would have rejected the request. It didn’t. The problem was very clearly AT&T’s. To charge weev with criminal charges for this is really insane.
Changing the user agent isn’t breaking any “rules” — except in the mind of the DOJ.
The DOJ really stretches to try to paint the actions by Auernheimer’s partner as some masterful “hack” when the details suggest otherwise. The brief goes on at length about all the “steps” that Daniel Spitler had to go through to get access to the information, but most of the “steps” are ridiculously padded, because they have nothing to do with the “hack” itself, but were merely about Spitler trying to setup his computer to act like an iPad. That might sound odd and involved to the clueless lawyers at the DOJ, but this sort of thing is done all the freaking time by security researchers. That’s how they can more easily test stuff out, by getting their computers to act like other machines. In theory, I guess, Spitler could have done the whole thing via an iPad, but what’s the point? The whole idea was, in part, looking for security vulnerabilities. The fact that it took Spitler a bit of time and effort to get his computer to emulate an iPad has nothing to do with the scanning itself, but the DOJ uses it as if it shows how “difficult” AT&T made it to find these emails. That’s wrong. AT&T made it quite easy to find the emails. The fact that Spitler had some trouble getting a computer to emulate an iPad is a totally separate issue.
From there, the DOJ starts playing dirty, pretending that because judicial law clerks can’t find the same kind of security hole, it somehow means that Spitler and Auernheimer were up to no good:
If an ordinary, but reasonably sophisticated computer user, like a typical judicial law clerk, had been assigned the task of compiling a list of e-mail addresses of iPad users available on AT&T’s servers, he almost certainly would not have been able to duplicate what Spitler did. The law clerk would likely go to AT&T’s website and search in vain for any links or other means to access this information. No hyperlinks or search engine requests would have produced the desired results.
This is really obnoxious. The US Attorneys working on this case know that a judicial law clerk is going to make the key call on this case, and this is a way to flatter those law clerks, claiming that they’re “sophisticated computer users.” But a “sophisticated computer user” is quite different from a security researcher or a higher level technically proficient user. The fact that they couldn’t find this info via a search engine is meaningless. No one is arguing that the info was available via search — but rather that it was incredibly wide open because of a security hole, and yes, you’d need some level of technical proficiency to figure it out, but as far as I know there’s no law making it illegal to be more technically proficient than a law clerk.
Later, the DOJ argues that using the ICC-ID number, which AT&T assigned incrementally is the equivalent of using a password. They’re apparently not joking:
The argument that the ICC-ID “is not a password,” begs the question of what counts as a “password.” Wikipedia defines a “password” as “a secret word or string of characters used for user authentication to prove identity or access approval to gain access to a resource (example: an access code is a type of password), which should be kept secret from those not allowed access.”… MK makes the facile argument that an ICC-ID is not a password because it is frequently printed on the outside of phone packaging, and thus is not secret. But that cannot be correct. Combinations to locks are often printed on the packaging, but the combination nevertheless is the secret “password” that opens the lock. Openness to the public prior to purchase is irrelevant, because after purchase the combination becomes the owner’s secret. So too with an ICC-ID. Once a phone or other device using an ICC-ID is purchased, no one can easily learn the ICC-ID unless he or she actually possesses it.
Try not to guffaw. Yes, even though the ICC-ID is just an incremental number, permanently stuck to a device, and is permanently printed on the device, the DOJ is insisting that it’s still just like a password. The fact that combinations are printed on packaging is meaningless, because it’s not meant to be left on the lock. Furthermore, this totally ignores the fact that the ICC-IDs were incremental. If AT&T had intended them to be secret, rule number one would have been to use a system that you couldn’t guess others accounts merely by adding one. And it gets worse:
An ICC-ID, unlike a password, is a unique identifier. In that regard, when it is used to gain access to a server, it can be even more secure than a password chosen by a user, which frequently can be guessed. Certainly a 19 or 20 digit ICC-ID is harder to guess using brute force than a typical four-digit ATM access code, misuse of which would certainly constitute a CFAA violation.
Except, uh, that’s not how an ATM card password works (and, yes, ATM cards are not particularly secure). You don’t put your ATM card into a machine and it automatically reads the code off the card and lets you into your account. That is, the PIN code is designed to be separate from the card, with the idea being that to get into your account you need both something physical and something in your head. The ICC-ID isn’t like that. It was designed to let the user automatically access their account without a password. There wasn’t that second “thing in your head” that makes a password a password.
From there, the DOJ tries to attack the fact that the “hack” was merely adjusting the URL incrementally to access each account. It does this by arguing that because SQL injection attacks can happen via a URL, therefore any “hack” via a URL can be a malicious hack.
For example, Albert Gonzalez was the mastermind of a credit card theft ring responsible for reselling more than 170 million credit card and ATM numbers from 2005 through 2007, the largest such fraud in history…. Gonzalez’s ring used what is known as an SQL injection attack, which can be performed by entering an “address” in a URL or entering data in publicly facing web forms. In many common SQL injection attacks, the challenge for the hackers is to determine the correct characters to send to the network’s database storing the data the attacker intends to exfiltrate. However, once the vulnerability is determined and the appropriate combination of characters is discovered, many SQL injection attacks can be reduced to a URL because malicious code entered into a form field in a website is often delivered to the victim’s network from the attacker’s computer in the form of a URL that includes within it the malicious string.
But, an SQL injection attack is very very different than merely incrementing a number in a URL. Yet, the DOJ wants to equate the two. That’s crazy. It goes on to try to link the two things much more closely:
And the result of these attacks, like the result in SQL injections, is that the browser returns unauthorized data from a database. An SQL injection attack is among the most dangerous and notorious hacks used today…
Sure, an SQL injection attack can be “dangerous and notorious,” but that’s because it’s entirely different than incrementing a number. An SQL injection to gain much more power over an entire server is not the same as just flipping through pages that are easily available. The attempt to link the two is crazy, but certainly could be used to mislead a less technically savvy “law clerk,” for example.
Later, the DOJ further argues Auernheimer and Spitler were guilty of bad things because they didn’t contact AT&T, but rather purposely chose to go to the press (specifically, Gawker) to publicize the discovery of the security vulnerability. While it’s true that it’s common to alert a company ahead of time, the fact that they didn’t do this is kind of meaningless here. If they were really up to no good, they wouldn’t have publicized the vulnerability at all. Yes, they sought to “benefit” from it: they wanted to use it to get attention for their security work at Goatse Security. But using the discovery of a security vulnerability to help get attention for their own security research operation doesn’t seem like evidence of nefarious intent. In fact, it seems like exactly the opposite. Then there’s this craziness:
The groups of security researchers and computer professionals who have filed amicus briefs in this case need not be troubled by this prosecution of this black hat hacker. Major technology companies today – Microsoft, Google, Facebook, PayPal, and Mozilla, to name a few – all pay bounties to white hat hackers who find flaws in their systems and thereby help keep them secure. The Government is not aware of any instance in which a security researcher who followed the rules of ethical hacking was prosecuted for violating the CFAA. Often, when a white hat hacker discovers and reports a security flaw, he is rewarded financially for his work by the company that he has hacked. But no one, not even a white hat hacker, gets to make his own rules.
Except, as Graham notes, the list above is the entire list of tech companies who pay bounties to white hat hackers. Most tech companies don’t do that, including… AT&T. Furthermore, Graham highlights this wacky line: “The Government is not aware of any instance in which a security researcher who followed the rules of ethical hacking was prosecuted for violating the CFAA.” Yes, they’re back to their made up “rules.” As Graham points out in response:
This is circular logic, saying that people who follow the rules don’t break the rules. When the prosecutors make the arbitrary decision that you’ve violated the CFAA, they’ll likewise decide that you don’t follow the rules of ethical hacking. Such circular logic is the basis for the prosecutor’s entire argument: Weev is a bad guy because he’s a bad guy.
When that’s the way the law is read, you no longer have the rule of law. And that’s why the case against Auernheimer is so ridiculous. It only works if the feds get to make up the rules as they go along, and argue that something is wrong, because they say it’s wrong.