So...
It's basically the fact that he wrote a script to do something that he could have done one by one manually that got him a couple of years of jailtime ?
Lawyers for Andrew "Weev" Auernheimer went to court on Wednesday to appeal his conviction in a high-profile iPad data leak case. Auernheimer, a member of the grey-hat hacking collective Goatse Security, was jailed for three years and five months back in March 2013 after he was found guilty of leaking the private email …
What, for hacking Amazon because they reclassified gay literature as pornography?
Oh because he's a troll, except he's a troll in the old use of the word. I think the GNAA are actually quite funny. I rather enjoyed the media coverage of the Sandy Loot Crew.
You are free not to and might not like him, but I haven't seen or heard anything that he's done that deserved three and a half years in federal nick.
He would have received a medal. OTOH, he peeked into a wide-open server and it's called hacking? And he's be prosecuted by lawyers and before judges who have no clue? In the military, we had the UCMJ which paraphrased into Uniform Code of Marsupial Justice. This seems to be the current state of the US judiciary lately.
I'm sure there's other things he did since he's "grey-hay"... but he told them what he found and didn't use it for evil. Sort of like telling a store owner he left the front door to his business unlocked last night and then getting jailed for breaking and entering. BS.
quote: "That's the new way of doing security: Wait for some honest person to point out a gaping hole in your defences, then blame them for it."
Unfortunately there is no "honest person" in your example; finding the gaping hole is apparently a crime in and of itself ^^;
Fortunately it does lend itself to the interpretation that information on your computing device is "protected" from foreign actors via that same legislation; e.g. the WhatsApp trawling of people's contact databases on the phone is a similar CFAA offense.
You may even be able to persuade people to indict Facebook for "handling stolen goods" (aka the WhatsApp contact databases purloined from people's phones) if you're lucky :D
Like it or not - he mined data and published it. How easy it was or not is immaterial.
However pure his motives (and I suspect there was an element of frustration and "for the lols" involved) - he broke the law.
I do think his punishment is well out of proportion to the crime - I presume the law he was charged under didnt allow a more leinient sentence.
So, because the server was insecure and he didn’t have to try very hard to get the data, that gives him the right to get it?
While I know there is an obvious difference between copying and stealing, in that copying doesn’t deprive the original owner of the thing itself, an analogy is if someone steals the plant pots from your front garden, have they not committed a crime, just because it was easy to do? The plant pot wasn’t fixed to the ground. There is no fence around the front of my house. So it was a very insecure plant pot, it was fair game and I deserve it?
No, I don’t think so. I think he’s guilty. Whether it deserves over 3 years in prison is something else, but there’s no way his conviction should be overturned, based on that line of defence at least.
Yes, a much better analogy.
And the guy didn't publish the results (according to the article), he handed it over to a "news" site, which published a redacted list - which usually means that personally identifiable information is removed.
If he had sold the information to an identity theft ring or something, I could understand him being prosecuted. In this case, from the details in the article, it seems he actually responded fairly ethically with his find.
Unclear from the article is whether he first approached AT&T and they told him to bugger off or whether he went straight Gawker.
Regarding Daniel Cuthbert of the infamous DEC Hacking case.
http://www.theregister.co.uk/2005/10/11/tsunami_hacker_followup/
So whilst the presentation of "fact" by the prosecutor in this newer instance offends our professional opinion, glass houses and stones.
Auernheimer did not cause any criminal damage. Nor did he change any part of the server, it was already insecure.
Auernheimer did not profit from the escapade. He could have sold the list on the black market instead he voluntarily shared it with Gawker.
Auernheimer did highlight the incompetence of 'public officials' which as far as I can reason is closest to whistle blowing. A person does not have to be an employee to be a whistle blower, they only need to be "making a disclosure in the public interest".
"This was a hack," Assistant US Attorney Glenn Moramarco (inarticulately) argued. "He had to decrypt and decode, and do all of these things I don't even understand."
I may be a simple country lawyer, but this mega telecommunications company tells me this man was hacking their computers from the intertubes. Now if there's one thing I know about hacking, it's that this man is guilty of it!
>>Neither Weev not AT&T is based in New Jersey, where the prosecution was heard.
Thats a puzzling statement given that AT&T's global network operations center is in Bedminster, NJ and the former AT&T Corporation from the Bell System breakup until the SBC merger was headquartered there, I'm sure they have pull with the prosecutors still. The Corporate Headquarters may be in Dallas now but the infrastructure is in New Jersey still.
quote: "You enter someone's house and take something that doesn't belong to you, it's theft.
It doesn't matter that they left the front door wide open, it is still theft."
Pictures. You enter someone's house and take pictures of their stuff, leaving the originals in place. You then give those pictures to a newspaper.
Is that theft? No. Is the newspaper handling stolen goods? No. Is entering their house through a wide open front door "breaking and entering"? No. It's trespass at best, and here in the UK that is a civil matter, not criminal.
And in this instance, it is more analogous to entering a shop lobby through a wide open front door, because this information was taken from their public facing webserver. A computer that the public are invited to contact and make requests of.
Or in other words, if I were to walk in to Best Buy, take photos of information displayed on payment terminals inside the store (showing transaction details for people buying goods, for instance), and then give those pictures to a newspaper, I've done a meatspace Weev. "Here is a copy of personal information that was left publicly visible at the Best Buy store, they should secure this stuff better LOL".
And a judge could say "This was a hack, they did 'shoulder surfing' and 'photographing' and all these things I don't even understand." and then give me a several year custodial sentence for hacking and identity theft.
People consistently use (sometimes deliberately) incorrect analogies in order to reinforce their point. I may well have done so above, and I would be happy for someone to correct this with something that better represents the action of copy-pasting from a browser window, after sending an HTTP GET request to a webserver that was willingly fulfilled by the aforementioned server.
The particulars of this case would, in my mind, immediately kill the case. The fact it hasn't says something very scary about how we define "hacking". If his appeals aren't successful, as a side effect I think we'll see less publicity from grey/white hijackers, combined with more gubmint attacks on good hackers...
Net result == fewer white hat hackers, fewer vulns being reported in the open, more innocents in jail. More hackers will work with companies that silently make payments to learn about new bugs, to be sold at a premium to big companies, governments, etc. so they can exploit the flaw. It's key that the 0day vendors not notify the party which has the bug in their product(s)/site(s). Compare that outcome vs. the man in this case who found a bug and went public. If he can't win his court cases all us IT folk are going to have to be ever more careful about how we report bugs. Or perhaps better for us: use a cash-for-zeroday.
I think its about time that attorneys become certified as to the specific areas of the law they are allowed to argue over. If it's a tech case then the attorney should have a cert stating they actually know what a bleeping computer is.
Kind of like doctors. A general practitioner would likely be jailed for attempting to perform brain surgery. A lawyer without a certification in tech should be barred from even being in the room.
Let's understand something here. Getting into the server means figuring out a credential hack. Once that is done, the "innocent" thing to do is to contact the server owner and send them the credentials as proof of the hack.
I find your front door open I dial 911 and tell the cops so they can contact you.
Going for a wander around to see what's what suggests a rather more sinister agenda even if all he got was some e-mails.
I take photos of your front room after wandering through them all and copping a good look at your sleeping daughter. Only the fact that you didn't see me in her room stops you from taking an axe-handle to my head.
And AT+T's people aren't "public servants" as one commentator suggests, they are corporate employees. They don't work for you, they work for a large multinational corporation that has a well -known sensitivity about its computers and is able to afford the legal heft to do something about it if they find an intruder has been at the family china.
I have to question the intelligence of someone who breaks into a machine belonging to such an entity, then goes for "lols" to prove he did it.
When did the "if it doesn't belong to you don't touch it" rule stop applying? And why, after so many people getting their fingers slammed in the till drawer, can't these "security hole alerters" realize that they are *never* as clever as they think they are?
I'm waiting for the inevitable "Asperger's Defense" to be filed and for the inevitable downvotes from those who thought that pulling out the upholstery and carpets from a new car and hosing it out with water was not at all suspicious for a murder suspect.
quote: "Let's understand something here. Getting into the server means figuring out a credential hack."
Nope, in this specific case it was simply editing the HTTP GET request made to the server to insert different ID numbers, e.g. instead of
http://www.att.com/accounts/details.php?ipad_id=12345678
you instead go for
http://www.att.com/accounts/details.php?ipad_id=12345679
and the webpage you get back has someone else's email address on it. No login required.
Hopefully that should put this quote from the article in a new light:
"This was a hack," Assistant US Attorney Glenn Moramarco (inarticulately) argued. "He had to decrypt and decode, and do all of these things I don't even understand."
quote: "I find your front door open I dial 911 and tell the cops so they can contact you.
Which of course Invites the question of what you were doing looking at someone else's front door? Would you mind stepping to one side and turning your pockets out for us sir?
quote: "When did the "if it doesn't belong to you don't touch it" rule stop applying?"
Apparently at least several centuries ago, although it is more likely to be further back at the point that "rulership" was defined as a concept back in the mists of time. If you can reconcile "if it doesn't belong to you don't touch it" with the concepts of "search and seizure", "border control", or even "taxation" then you are a better (or arguably worse) man person than I. All my attempts end up sounding suspiciously like Communism (and/or Socialism).