and found is in quotes for a good reason, as the drugs “found” near
  me were “found” in the execution of a warrant for computers only

I don't know where the myth came from that only evidence related to the probable cause of the warrant is admissible. This is an on-face absurd interpretation: by that logic, if the police entered a house to search for evidence of felony tax evasion and stumbled upon a murder in progress, that wouldn't be admissible because the police weren't in the house searching for a murderer.

There is plenty of case law establishing limits on reasonability. For instance, in the execution of a lawful search of an apartment looking for weapons, officers saw a stereo that 'didn't fit the furnishings'. They lifted up the bottom of the stereo to take down serial numbers, and the person was arrested for having stolen the stereo. The problem, of course, is that weapons aren't stored under the bottom of a flat-bottomed stereo, and certainly the serial numbers weren't a reasonable part of the search for weapons.

But having drugs out in the middle of the room in 'plain view' is clearly reasonable. Even from weev's own post, the drug evidence passes the Horton test.

http://en.wikipedia.org/wiki/Plain_view_doctrine

  Warrants are favored in the law and utilization of them will not 
  be thwarted by a hypertechnical reading of the supporting 
  affidavit and supporting testimony. For the same reason, 
  reviewing courts will accept evidence of a less "judicially 
  competent or persuasive character than would have justified an 
  officer in acting on his own without a warrant." Courts will 
  sustain the determination of probable cause so long as "there 
  was substantial basis for [the magistrate] to conclude that" 
  there was probable cause.

If you're interested in some of the intricacies of 4th Ammendment jurisprudence, http://www.law.yale.edu/documents/pdf/1994Fourth.pdf is a phenomenal article.

(This might very well be the case, considering the "Fruit of the Poisonous tree" doctrine).

Edit: if the police interrupt and prevent a murder, the testimony of the murder victim is also admissible. I don't think the argument "if the police hadn't illegally searched the area, the victim would be dead and unable to testify" works.

But they couldn't cite the murder as admissible evidence of felony tax evasion, it would need to be separate charges, wouldn't it?

Well, at least you were able to dodge the tax evasion charge by distraction/misdirection. Now, about this little murder thing...

Goatse behaved in the industry accepted standard way in popularizing a security vulnerability -- full disclosure. I personally would have done the same (although I would not have kept illegal drugs at my residence after doing so, but I also would probably ventilate anyone breaking into my home without clearly announcing a warrant...)

Free weev!

Well, as someone working in the security industry I take slight issue with this. They appear to have cashed in on the media coverage as much as possible rather than focus on proper disclosure practices. I (and a lot of people in my job, I think) would consider it just on the wrong side of unethical.

Additionally if he has broken no actual laws then that needs to be cleared up and he needs to be apologized too.

However I feel there is an important distinction between defend and approve; I would, for example, represent him. But I don't condone his approach to disclosure :)

My personal position varies based on the kind of vulnerability, actual risk to end users, etc. For something which causes minimal harm to the end users (publishing email addresses? really?), which was the result of utter incompetence on the part of a single vendor, and where the vendor can trivially fix it, I think aggressive full disclosure is the right course of action.

If it were something like a flaw in cisco bgp, I would support responsible disclosure, on a very long timescale; give the vendor enough time to fix it, and get the patch deployed to as many users as possible.

If it were a flaw in a no-longer-maintained system which were critical to life safety, I could be convinced to not disclose at all, provided there were something put in place to transition users off of the system.

No and I don't think that accusation has ever been made.

However; he has used the data very unethically and I don't think that it is reasonable for him to claim journalistic privileges or the cover of full disclosure to assuage that.

EDIT TO ADD: Reading your other postings I think you mean giving a copy of the leaked data to Gawker media was unethical. Is that so bad, considering they redacted it and appeared to generally handle it responsibly?

Also from a security perspective (at least from mine) it is just unethical to hand over data you got - no matter how trivial :)

Did he ask others to defend or at least give him some free consult/referrals? Did he get denied by them?

I should mention the other charge for possession is most likely completely separate, and being handled at the state/local level, since he didn't commit a federal crime in that regard (it would have to be interstate trafficking).

In short, weev doesn't understand how the federal justice system works and is asking for help.

Either way, though, prison is not an acceptable outcome for this behavior. "Don't do this again," maybe, but not being locked in a cage for years. How would that help anyone?

This is a normal part of the process of a federal criminal investigation. What happens first is that a grand jury is formed. The jury investigates evidence, calls witnesses, and tries to determine if a crime has been committed, and if so, who committed the crime. Then, the grand jury might issue a federal indictment, or it might just determine that no crime was committed and drop the case completely.

If he or someone else is federally indicted, then he would be formally arrested and have to go to federal court to stand trial as a criminal defendent. It sounds like it has not gotten close to this point yet.

Edit: I also wanted to mention that you have no right to an attorney as a witness of a grand jury. You may choose to have an attorney represent you and be present, however, the financial burden is in no way the federal governments to provide one for you. IF you are charged, then you may receive a public defender if you have insufficient financial means to pay for your own defense.

Federal cases take months and years to prosecute. By refusing to participate with the grand jury, he might be opening himself up to the fact that another witness could implicate him and he might be indicted. Of course, there is also the saying "if nobody talks, everybody walks."

He really needs to get good legal counsel and decide if he wants to testify in front of the grand jury, and decide what he wants to say.

Also, he's not helping his cause any by speaking out on the web. Mentioning his past anti-semite ramblings is also probably not the best way to gather sympathy.

I also think he does a disservice to the security community as a whole to advocate black hat ideology at hacker conferences, and then talk about "responsible disclosure" and how he was just trying to protect the poor customers of AT&T. This seems to be rewriting history.

You cannot just publish personal data and then call it 'free speech' and 'industry standard practice' of a 'journalist'.

Seriously .. where is the ethics in that?

How about actually trying to work with AT&T to get this fixed behind the scenes? Oh no, of course not, because that would not result in the right kind of exposure for these 'security experts'.

These things are all about ego and status. Hidden behind a thin shell of 'full disclosure'.

Testing/Evaluating/Disclosing an exploit isn't immoral in my mind, nor should it be illegal (in a perfect world).

Disclosing private details of third paries is certainly immoral in my mind, and should be illegal.

According to this logic publishing the exploit, so long as you're censoring output, is fine. If someone uses your exploit to download personal data, it's AT&T who is doing the immoral/hopefully-illegal disclosure. If that someone uses your exploit and then publishes the data or does some other naughty thing with it, book 'em.

You get moral brownie points under this logic if you notify the target after you discover the exploit. It's not required, because disclosure is notification. Nefarious-types aren't going to call up a bank to say "hey, we're stealing all your customer records", nor will they disclose this hole to the world.

Unpopular statement ahead: if you collect personal details, it's your job to secure your systems, and it's your fault if your systems leak them. Of course there's no such thing as 100% secure, but you're the one doing the risk analysis and design.

In this case it doesn't entirely work because it is trivial to recover in the information (so the disclosure/fix is hour sensitive rather than days sensitive)

Also, in Full Disclosure it is accepted ethical practice to notify the affected vendor and give them a reasonable time to fix it (In this case... I'd give them 2 days).

It is also very definitely not ethical to hand the data you got to the media. :)

I don't completely agree, but it's the prevailing point of view (and/or law) at the moment.

The purpose of disclosure is twofold: you want the vendor to fix the bug, but you also want the marketplace to take notice of the existence of the bug.

Knowing that Vendor M was informed of a bug and took 6 months to fix it, whereas Vendor L was informed of a bug and took 1 day to fix it, is useful to me when I'm evaluating an operating system vendor. The best way to have this information out there is to cause a big splash when you release it.

Fundamentally, the assumption is that white and gray hat hackers do not discover every bug out there. If you sit there and do semi-sophisticated static analysis on a lot of software, or fuzzing, you can discover a lot of 0-day vulnerabilities which no one has yet announced.

If end users don't feel pain from security vulnerabilities, they will not prioritize adequate security when they make purchasing decisions. Vendors with a strong security focus should support aggressive full disclosure of all vulnerabilities of all vendors.

weev claims to have received the data from an unknown source.

He then has AT&T informed through a third-party.

After that has happened and AT&T has fixed the vulnerability, he gives the data to a journalist and deletes it.

The journalist then writes about it and includes a small, badly redacted portion of it.

So, in summary weev did not publish the data in any meaningful sense and did make sure that the flaw was fixed before going public. What exactly about this is unethical?

1) "he gives the data to a journalist" 2) "in summary weev did not publish the data in any meaningful sense"

Really!?

Words have meanings. It is useful to know them.

Of course, the vulnerabilities that are fixed by working directly with vendors never end up the topic of news articles, so I'm sure it's not as cut and dry as an outside perspective would indicate.

Take a look at for example Apple's release notes for a security update: dozens of fixes, most reported by external companies and persons, all with proper attribution.

I'm fairly sure that the process does work most of the time.

That said, does the irresponsible disclosure of names attached to e-mail addresses justify what he's gone through, assuming a modicum of truth to his assertions of being denied a legal defense, gag orders, FBI raids, etc? In my personal opinion, his point that URL scraping is not in and of itself a crime is substantially true, and renders the subsequent raid unjustified. Whether that would render the drugs inadmissible or provide him any legal cover from that charge I certainly am not qualified to say.

On that note - could anyone point me towards literature on 'gag orders' in the course of U.S. justice? I'd be curious to read on the history and justification for these.

The situation is probably quite stressful for him, but he somebody should really help him work on the text so others understand what it's all about.

He has some posts which suggest the FBI was bugging his apartment and covertly following him around town. This was months prior to the release of the iPad accounts. So, yes, I suspect he is dealing with some mental issues.

I'd be interested to see an analysis by someone who knows more about the law than I do.

As always; this is one side of the story and (thought I hate to say this) from a somewhat troublesome person. I think it is reasonable to treat this as a serious matter, but there needs to be a lot more objective insight before I'd send him some money :)

Really? Are you really going for this elementary school argument?

Doesn't help when you distort the concept of 'full disclosure' and related practices, either.

No sympathy vote from me.

What he needs to do is get proper legal counsel.

Has he contacted the EFF or other similar organizations? What's with all this defense of anti-semetism? Someone needs to proofread this. What's the call to action? If the domain name's not going to change, fine, but get rid of the giant anus illustration for such a plea. Yeesh.

The problem is there are potential actual felony charges under discussion, related to the original computer crime warrant. While he hasn't been charged, he doesn't get a public defender. If he's charged, he gets a public defender.

If I were in his shoes, I would absolutely be getting a lawyer (and I sent him $100 toward that, and asked some friends who are lawyers to consider it).

Honestly, not getting an Arkansas Public Defender is probably a victory for him, too. I would rather represent myself than rely on AR PD to defend me in a case like this.

The fact that he can't get a public defender because no charges higher than the misdemeanors were filed against him is, like you said, a good thing. He misunderstood, and creates a conspiracy theory around it. This is likely the case with most of his other points in the essay as well.

Also, he seems to be able to obtain documents and requests from the gov to print online, yet also claims he can't get access to them but mentions some deadline. If you're not able to read the request/denied access to it, no judge will hold the deadline over you. That's just conspiracy/crazy talk.

To be clear, he's just being asked to serve as a witness and hasn't been charged with anything related to the iPad security. He just doesn't understand the legal process and is requesting things he is not entitled to yet, such as a public defender, and spinning conspiracy theories when they are denied. As of this moment, he is only facing a misdemeanor related to the drugs the police found.

It's not clear whether or not the EFF has the manpower to help him. The essay he wrote doesn't seem like he even tried. However, the EFF is usually very helpful with referrals or pointers. This is from personal experience.

If you want to bet on him over the government or Apple, that's your choice. Based on his actions so far (black hat approach to security disclosure; writing a long, ranting essay filled with conspiracy theories about the case and the way he is being "handled" and publishing it on the net), I'd most certainly call your bet and laugh all the way to the bank.

As Americans declared in a few days ago in 1776, "But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security."

If what he says is true, then it is our right, and our duty, to stand up for weev. If the government is this far in the wrong, then that is more important than any single individual's actions. Give him some cash (http://security.goatse.fr/help); write to the EFF; call your congressman; ask an America you know to do the same; but please, find another thread for discussing logos, e.g. http://news.ycombinator.com/item?id=1493603

If he is lying, then we need evidence he is lying, not that he has bad taste in logos.

EDIT: I clarified the above to add the "If what he says is true... // If he is lying..." without marking the edit, which I am now doing. I apologise if I edited after the children had posted.

He claims that his civil rights are being violated in the same breath that he claims that it happens to him all the time and that anti-semitism is okay. Why should we believe any of this, exactly?

EDIT: Okay you edited your post to be conditional on him telling the truth and requesting of evidence that he's lying. My point is just that crankishness is typically evidence that someone is lying, or at least good reason to not take things that people are saying at face value and to wait for independent confirmation for whoever cares to look for it. There's a burden of proof issue here.

Screenshot 1 and 2 of the threatened indictment seemed believable and imply he is in legal trouble over a security disclosure. A quick search online implies the disclosure was responsible, proportionate and AT&T are pissed about it (e.g. http://bits.blogs.nytimes.com/2010/06/13/att-explains-ipad-s...). So, from those two things, coupled with the fact legal aid is being denied to him, implies he is serious about needing help with a lawyer.

Is he already on some kind of FBI shitlist? Maybe, maybe not, it's irrelevant. Would it have been better not to mention it? Probably. Is he credible? I don't see why not given the corroborating evidence.

Fair enough. He didn't say anti-semitism is okay. What he did do, which prompted my inaccurate comment, is admit to make "joking" videos about the genocide of Jews which are in egregiously poor taste. And then go on to make paranoid comments about the FBI manipulating the Jewish lobby and Jewish reporters to alleging that he bombs synagogues, or something (I wasn't too clear on this part).

He does (going on his online postings) regularly spout anti-semitic nonsense, but then he is a very troll like person. So it is hard to figure where his real beliefs lie - he often sounds serious, but then he may just be a serious troll.

(and, also, I suppose it is arguable his intentions [trolling or meaning it] are irrelevant because it still goes out there and communicates to people without being clearly ironic)

weev is a troll (in the 4chan sense), and a performance artist, but on this issue, he's actually being pretty straight up. He got some information about a security vulnerability, was asked to publicize it, did so, and is now being unlawfully screwed for it.

Was what he did prudent, especially for someone already on the FBI shitlist? No. Was it lawful? Yes. And, it certainly brought the security vulnerability, which was an incompetent decision by ATT, to public attention.

I'm not saying that that cranks shouldn't be defended when their rights are violated or that his claims are false. But he's certainly not helping his credibility with his disorganized, rambling writing, and his juvenile website, etc. It makes it so that my immediate inclination reading this is to suspect that most of it is wildly exaggerated.

weev talking about "this is not the first time" -- that whole section should have been left out. That makes it very conspiracy theory-like, and really has no bearing on what's going on now.

There is a reason why test cases usually find really unambiguously "safe" people for the test case -- e.g. the elderly, unambiguously law abiding and moral, African American gentleman in Chicago used for the recent 2A case McDonald vs. Chicago, or the same with Heller vs. DC.

I am pretty sure no one expected search warrants when this all started. If it was expected that the FBI and local law enforcement would get involved, an academic security researcher would have been a far better spokesman.

This is not a housewife being attacked by a SWAT team, it's someone who is likely to drift in and out of such problems who happens to have drifted in.