Marcia Hofmann is joining his appeals team, so I suspect this is going to SCOTUS.
Normally you pick the most compassionate defendant (like they did in Heller in DC) for a test case. Weev is probably the least sympathetic defendant. But I guess you go to war with the weev you have, not the aaronsw you wanted.
I think somebody that publishes this: http://www.reddit.com/r/IAmA/comments/1ahkgc/i_am_weev_i_may... a day before his sentencing is either completely sure for some reason he gets away with it or is an idiot. Nothing more effective to prove you're not a criminal that saying in public "I only regret I didn't do more harm to whoever they accusing me of harming, next time will be worse". It's like saying "no, I didn't beat up this guy but my only regret is that I didn't break his other arm too". Smart move.
I think the thing is that weev genuinely doesn't care if he gets 41 months vs. 36 months. This is a long troll by him; by being a troll, he brings more attention to the case, maximizing lulz, and bringing bigger guns to bear in his defense.
If he'd gotten 3-6 month suspended sentence, even if you thought that was a bit much for essentially incrementing numbers, you'd probably not care much.
If he were facing life in prison, you'd probably leave the US if you were doing anything in security research, change how you vote, etc.
If he doesn't care why should I? I know many security researchers who aren't trolls and they are doing fine. When it happens to somebody who isn't purposefully self-destructive, then it may be a better case for concern.
Most likely. He would at least have leverage to say he just needed proof the exploit worked after he notified AT&T (which he claims he did, but I didn't find any clear evidence he had). Once you download over 100,000 records, your intent becomes a lot clearer in the eyes of the law.
Had he only downloaded a few records, chances are he might get some community service and probation. Also, his stupidity in taking to Reddit to proclaim next time he won't be so nice didn't help either.
I believe from extensive conversations with weev that his intent is and was always to fuck with ATT as much as possible without targeting innocents.
Malicious? Sure. Criminal. Not a chance.
He loves manipulating press and media for his own entertainment. The bigger the number, the bigger of an asshole he makes ATT look like by their not protecting it, and the more anguish he causes their management by damage to their brand and stock price.
A valid effort, I think, as manipulating some shitty corporation's reputation with FACTUAL DATA is one of the least underhanded ways of achieving the goal of "fuck with ATT".
I don't know if it prevented him from going to jail, but I'm sure if he'd behave responsibly there would be no way he'd get 3 years. But then he'd not be him, and the whole matter would be different. The whole point here is that he is him, and if he'd get a slap on the wrist he'd probably just decide he's invincible and nobody could harm him and proceed to do more harmful things with a full sense of impunity.
Because our world is imperfect and justice not always finds the guilty. In this case, his karma finally caught up with him. He was guilty, he behaved like an ass and he got 3.5 years, even though if he didn't he probably would get much less. I can see EFFs point that 3.5 years is too much too, though I personally feel very little sympathy to Auernheimer. If he wises up, he'd be out in less than 2 years probably, if he doesn't, well...
Because living at the mercy of the government only not prosecuting you simply because they think you're not a dick doesn't scale to 100% of a free society.
This is different than a Klansman being on trial for his car crashing into a bus stop full of black kids, and then publicly announcing before sentencing that "I'm only sorry I didn't kill any of darkies."
The Klansman's own words are used to show intent. Without them, he might legitimately argue that it was a honest accident. Maybe believably, depending on other evidence.
Using someone's own words against them in court is not a violation of freedom of speech. Intent matters, and that doesn't mean we have thought-crime.
Show me the case where somebody is prosecuted solely because "they think you're a dick" - as opposed to actually doing something criminal while being a dick - and you'd have much stronger case.
I'm not aware of ACLU defending any criminal actions of the Klan. If we talked about Auernheimer's freedom to express his views, however vile may they be, it'd be completely different case.
Somehow I'm not concerned yet. When I'd feel the urge to take personal data of 100K users from AT&T and publish them and then a day before my sentencing I'd feel it necessary to say my only regret is that I didn't do more harm - then I'd be concerned more. Don't foresee it happening soon, though.
Same CFAA, different cases. Different approaches, different intents, different results. Swartz had noble goals but chose means that are questionable. Auernheimer's goals are, as it appears from his public persona, to cause disorder, embarrassment and trouble, and to derive personal enjoyment from the result. No wonder he gets different reaction.
>If he'd gotten 3-6 month suspended sentence, even if you thought that was a bit much for essentially incrementing numbers, you'd probably not care much.
And to be fair, if he didn't do things like the AMA, he probably would have gotten the 3-6 month sentence.
His comrade got 12-15mo, so I think there was little chance of weev getting less (and probably 24mo was the most likely). I predicted 3y before his last little bit of trolling.
Technological ignorance from the law makers and the judicial system is in part why that law exists and why Weev is locked up. It's funny to hear them butcher technical words and to see the word "Goatse" on CNN.
..But I've stopped laughing. It's time that technologists step up efforts to change things in the favor of communication and free speech.
I put $50k on the line to bail him out and talked him out of aaronsw'ing himself several times during the last few years while this nightmare progressed.
I must've missed you at the sentencing this morning. I was the hungover one in the mirrorshades.
1. First, it's going to be appealed to an appeals court :)
2. Generally, if you are smart, you don't bring wildly unsympathetic defendants to SCOTUS at all (IE you don't go to war over them). There are cases it doesn't matter, but one of the reason we ended up with so many 4th amendment exceptions is, IMHO, because of the habit of bringing really unsympathetic people/facts to SCOTUS back when we had justices like O'Connor.
Obviously it goes through the process, but I think the feds will push to keep CFAA as well, so it's going to go all the way. 41 months is long enough for that; if he'd gotten a 3-6 month sentence the process wouldn't have had time, so maybe weev's "troll the courts" strategy had some merit.
While weev himself is highly unsympathetic, his actual "crime" in this case is quite sympathetic -- it was technically trivial and the results were given to the press, vs. used for financial gain (even though they talked about it). So maybe it's not the worst possible test case.
His biggest mistake was not being in the 9th circuit, though.
Assuming he loses, yes, losing elsewhere and having a circuit split is probably the most likely route.
But who knows, maybe scotus would get bored enough to find it interesting.
I'm betting "no" in part because legislative fixes are being considered right now. If one passes, it would reduce the odds SCOTUS would ever take the case.
That's part of it, but it was a natural reaction to the total collapse of order and the explosion in crime in U.S. cities in the 1970's and 1980's. The fact is that most of the people invoking the 4th amendment were really unsympathetic. They still are.
Of course they're unsympathetic -- if they were merely good citizens who were hassled for no good reason, there wouldn't have been a charge.
Improper search and seizure leading to a trial is going to have found drugs/guns/whatever, by definition. That doesn't mean the rest of us should have our 4th amendment rights weakened.
I don't disagree with you. My point is that it's important to understand the context. The federal courts are absolutely clogged with appeals and habeas petitions from "bad people" who clearly did whatever they were charged with. People who are just trying to get off for serious crimes by grasping at technicalities (because they're in prison and have nothing better to do anyway). For all the skepticism about the police, they don't like losing prosecutions and as a result tend to go after slam-dunk cases.
For the courts charged with maintaining these protections, it can be hard to keep a hard-line stance in favor of 4th/5th amendment protections in face of a docket that is chock full of actual criminals who actually deserve their sentences.
It should be noted that he was convicted on two counts: conspiracy to access a computer system without authorization, and fraud in connection with personal information.
The way the CFAA works is that it's a misdemeanor unless the illegal access is pursuant to some other crime, which bumps it up to a felony. Had weev simply stumbled upon AT&T's security flaw and reported it AT&T, the worst they could have gone after him for is a misdemeanor.
People are acting like the fact that he downloaded tens of thousands of pieces of personal information is totally irrelevant, but it's not. It's highly relevant. It's why he's been convicted of a felony rather than a misdemeanor. And it should make intuitive sense and it's mind-boggling to me that somehow people on here intellectualize the situation to the point where they write out this part of the facts.
In meat space, the crime of trespassing can range in severity from a nothing to a serious felony depending on what the surrounding circumstances says to a jury about the trespasser's intent. Here, it was totally reasonable for a dispassionate observer to conclude that weev's intent in downloading tens of thousands of pieces of personal information (not to mention the IRC conversations) was seriously malevolent.
It should finally be noted that the "fraud in connection with personal information" conviction would have been by itself sufficient to support the sentence.
It's insane even if you assume they were pristine and never received any spam before weev came along and "stole" them. Furthermore, the list was never sold, distributed, or published.
An excerpt was sent to the media.
They kicked around the idea of spearphishing, of spamming, of pastebinning it, of selling it. In full knowledge of the value and leverage that this data allowed, they contacted the media and deleted their own copies. It profited them nothing.
The idea that this is akin to trespassing is simultaneously both obtuse and dangerous. There were _no_ access controls; ATT themselves said in court that the information was published (by them) on the web.
> Possessing email addresses should not be a crime.
Collecting lists of e-mail addresses from private databases without authorization should be.
> Identity fraud for a list of emails? Really?
Weev said in IRC conversations that he was going to sell the e-mail lists. Maybe you don't believe him, but it's hard to argue that no reasonable person could have believed that he was going to do what he said he might do.
> Furthermore, the list was never sold, distributed, or published.
If someone breaks into your house with safe-cracking tools in his possession, he doesn't have to actually break into your safe to be charged with and convicted of burglary.
> There were _no_ access controls;
I don't lock the door to my apartment. That doesn't mean you're welcome to walk in and look around. If we were in Florida or Texas, I could shoot you in the face for walking into my unlocked house and nobody would convict me.
Society charges you with being a normal functioning human being and respecting obvious boundaries. Obviously this is too high of a bar for people like Weev.
> Collecting lists of e-mail addresses from private databases without authorization should be.
Unauthorized I can see, but "private"? What was "private" about this database he accessed? It was a public API on a public server with no authentication required.
> Weev said in IRC conversations that he was going to sell the e-mail lists.
Yes, but he didn't. Is he being prosecuted for doing something he said he would do, but did not do? That seems dangerous.
> If someone breaks into your house with safe-cracking tools in his possession, he doesn't have to actually break into your safe to be charged with and convicted of burglary.
This is death by bad analogy. He wasn't breaking into a house, no safe-cracking tools were required (nor, probably, on his person).
Why not argue to the actual point? The list was not sold, distributed, or published -- why is it necessary to fall back to analogy there?
> I don't lock the door to my apartment. That doesn't mean you're welcome to walk in and look around. If we were in Florida or Texas, I could shoot you in the face for walking into my unlocked house and nobody would convict me.
Death by bad analogy, again. Surely you don't think that downloading publicly available data is analogous to B&E? And if the email addresses are so precious as to warrant a 41-month prison sentence merely for accessing them, shouldn't the idiots at AT&T be held at least partially responsible for making the data publicly accessible?
> Obviously this is too high of a bar for people like Weev.
Ah: guilty people are lesser people?
I'm not even sure what Weev's crime was here, in layman's terms. Was it accessing the public API in the first place? Was it sending the list of email addresses to Gawker? Was it talking about doing nefarious things with the list of email addresses? Was it not contacting AT&T first?
If I had to describe this case to someone who knew nothing of computer systems and explain why the 41-month prison sentence was justified, how would I do that?
Is there not some level of basic accountability? I mean, shouldn't AT&T face penalties for hosting consumer data in such an egregiously unsafe fashion?
While I think the responsible disclosure could've happened in a better way, I don't think this is akin to walking into an unlocked house. This is a web server that's only protection was prayer. There was no authentication, no verification and no accountability.
What makes me so mad is that AT&T can be so goddamn careless with my information and skate away free while the gentleman who exposed this lack of attention is sent to a jail for a very long time. It just doesn't sit well with me and I don't think the boundaries are obvious.
I'm not a hacker if I increment a URL by 1. I wouldn't even call you a hacker if you used DNS reflection attacks. To identify cheap parlor tricks as hacking is offensive to the professional breakers and ludicrous in the larger scheme of things.
> Is there not some level of basic accountability? I mean, shouldn't AT&T face penalties for hosting consumer data in such an egregiously unsafe fashion?
That's a separate issue.
> This is a web server that's only protection was prayer. There was no authentication, no verification and no accountability.
The protection was the fact that the information therein was obviously sensitive and not intended for public disclosure. In a civilized society, that's all that should be necessary.
> What makes me so mad is that AT&T can be so goddamn careless with my information and skate away free while the gentleman who exposed this lack of attention is sent to a jail for a very long time
He's not being sent to jail for "exposing this lack of attention." He's being sent to jail for exploiting this lack of attention tens of thousands of times more than was necessary to prove his point and for talking smack on IRC that led people to believe that he might sell those e-mail addresses for profit.
It's a public issue, so any client who thinks AT&T sucks can go to one of the other providers. What you want, put people that write bad code to jail? You'd need pretty roomy jails then. May as well jail everybody who ever wrote any code at all - some of it most probably is bad.
I was about to post a similar comment to yours until I clicked through to the linked AMA below and saw some of his GNAA history.
Given that history, it's really easy to claim that he was intending to do harm with that list of emails, and it's also pretty easy to think of ways for him to do harm. Idendity fraud might be a bit of a reach, but computer abuse with malevolent intent? Not too hard to get there from his public statements.
Those emails we're exposed to the public. Weev's security company exposed "gaping holes". AT&T are at fault for exposing their customers information in the first place.
Anybody COULD have done harm with those emails. He didn't. He used them as a fodder for public discussion about internet security.
AT&T should owe him a "thank you".
AT&T customers owe AT&T a boycott for being irresponsible with their information.
Finding a security hole is not a get-out-of-jail-free card.
I think the question of AT&T having responsibility for inadequate controls is very interesting. I would like to see AT&T face some repercussions for it. Not _instead of_ weev receiving punishment, but _in addition to_.
It's actually quite simple, but requires a lot of question asking to figure out.
Hackers move easily between different levels of abstraction and believe that things in general can and should be understood. They try to never stop asking 'why?' and this leads them to find places where the system is incongruent. Many of these realizations are benign or even progress the system, and the advantage gained just helps the hacker succeed within it (eg. pg's main use of the word hacker). But some realizations contradict a foundation of the system (like insecurities of its central nervous system!).
The system is built on abstractions, takes them for granted, and reacts extremely harshly when they are broken (for this is an existential threat). The system can only understand a broken abstraction in terms of the abstraction itself, rather than in terms of underlying reality. Hence we end up with phony blame-shifting terms like "identity theft" instead of reality-based "fraud". Meanwhile, hackers see the failure of the abstraction in terms of the underlying reality and have a hard time seeing what the big deal is - just reprogram the abstraction!
Most people's thoughts are contained mostly within the system, having been indoctrinated into it from birth (constant rote memorization in primary school, blind repetition of contradictory facts, scolded by adults with tenuous justifications every time they don't follow the pack, etc). So they take what they're told at face value and follow along, all the while never seeing the whole picture and hence remaining afraid of mysterious agents that can take advantage of them for what they don't understand. If they're told that a collection of email addresses is a threat to their way of life, they'll actually believe this because they lack the broad framework to analyze the truth of this statement. They'll instead trust the system and assume it's correct, feeling that if it were indeed wrong they would no longer be able to take anything for granted.
Anybody can ask 'why?', it just takes constant effort.
I theorize that all religions begin with understandings of fundamental truths that are summarized to pass along. They then ossify into mechanical words and take on an oppressive life of their own :/.
Bruce Schneier walks past the AT&T building and sees a
Shop front called customer services. There on the sidewalk is a filing cabinet labelled "your records". Instructions on the cabinet say please open the drawer and read your own personal records. Do not read anyone else's.
Bruce looks at his, then checks that he can look at some others - he collects 100 examples and angered by this he takes those examples and posts them on his blog as proof of a major security failing so bad it's embarrassing
Now weev it seems is an Unpleasent person who has been looking for ways to attack AT&T. - but is the strawman argument above an accurate analogy to the facts of the case?
If so I really don't see what his motives or personality have to do with anything other than his sentencing. It's the prosecution and conviction that seem wrong afaik
Change "100" to "tens of thousands" and "posts them on his blog" "suggests to someone else that he was going to sell them for profit" and you've got a damn good analogy.
Because it's not okay to access data you know you shouldn't look at and threaten to sell that data to parties that would use it to harm others. The fact that nothing is stopping you from doing so does not make it okay.
The world is full of sensitive information that's basically protected on the honor system, for the same reason the world is full of unlocked doors: because we assume some assholes won't come around and abuse the situation.
AT&T had a duty of care to protect their Data which they signally failed to do. Then some asshole finds out and makes that situation public. He did not do so in a responsible manner but four years is a long time to get for being an asshole.
If that is commonplace HN is going to be a smaller forum
Let's stop making things up about the facts of the case, shall we? Weev did not get 41 months for being the asshole that made AT&T's blunder public. The worst he could have gotten for the CFAA charge by itself would have been a misdemeanor with a maximum penalty of less than a year (and realistically, probably zero jail time).
Weev was convicted, by a jury, of fraud in connection with personal information. The jury believed he intended to sell the e-mail addresses he collected to people who would use them for various nefarious purposes. Given that he claimed he was going to do so in IRC conversations, it's really hard for you to sit there and argue that the jury was unreasonable in reaching this conclusion, and that all they are really punishing him for is blowing the lid on AT&T.
What you're doing is trying to create a particular narrative about Weev's intentions, but ignoring that the jury in this case heard and rejected this narrative.
Every time I see a ruling like this, I can't help but think that future historians will view this time period in the same way that present day historians view the crusades/religious persecution/witchhunts of the past millennium.
It's amazing how much point of view can change perspective.
I don't think this particular case is black and white. Judging by my Twitter feed, a number of security researchers and white hats feel the same way I do: the law as it stands is not good, but what Weev did was also really, really unhelpful and borderline stupid.
Rather than disclosing to AT&T, he leaked it directly to Gawker, and discussed how to potentially abuse the data he had (by shorting the stock, selling the e-mail addresses he had collected to spammers, etc).
The sentence is absolutely disproportionate. But there are so many ways in which the guy could have handled himself better. I think a lot of people in the infosec industry are simultaneously angry at the sentence but not massively empathetic with the defendant.
What I'm trying to say is that as a test case or campaign to change the law it's far from ideal.
He didn't expose some flaw or weakness. ATT knew that information was there, they were the ones that put it there. Weev was pointing out a negligent mishandling of data. ATT already has shown that they suck at vendor response. I think he has a duty to inform the public when there is an issue like that. If he had gone to ATT first, they likely would have lawyered him into oblivion, and kept their shitty service online.
This argument is very commonly made, and that's unfortunate because it is fundamentally flawed. Just because AT&T left the information exposed is not sufficient justification for some random person to take it, especially when that person takes it with the explicit intent to cause harm AND profit from it.
First off, what profit? Weev can be described by many negative terms, but greedy has never been one of them.
Secondly, if a company posts something publicly, people in the public are going to see it. My mind is incapable of comprehending the logic of anyone who would say "Just because we posted it on our website doesn't mean we wanted anyone to see it."
The first amendment makes no distinction between someone who says "Hey your shitty website is broken. And I'm telling everybody." and someone who sends a private email, hat in hand, saying; "Excuse me kind sirs, but I can't help but notice that your security procedures are somewhat lacking."
And oddly, if one of those is a crime, so is the other.
Does the First Amendment make a distinction between a person in a crowded room shouting "I love U2" and the same person shouting "Fire"?
I'm going to go ahead and suggest that the answer is "No, but we as a society make a distinction." Same princple here. I believe the general principle is that you have freedom of speech, but you do not have indemnity from the harmful consequences of your speech.
The judge who said that the 1st amendment doesn't cover shouting fire in a crowded theater used it as an argument to jail people for handing out anti-war fliers.
So it's not even appropriate for me to say that it's a slippery slope, because it started at the bottom.
Although the application is questionable, I think most people agree with the principle — you are free to speak your mind, but when your speech ventures into the realm of action, that action is not necessarily protected. For example, ordering a hit on someone is not protected even though it is technically just speech.
...you did read the bit where I said "the sentence is absolutely disproportionate"? I think you can be a victim and a bit of an idiot at the same time. I'm trying to point out that in terms of changing the law so this sort of thing doesn't happen again he's hardly a fantastic poster child.
No weev's defense is that... it was a public URL... Do you really want to set a precedent that companies get to decide after the fact that some public URL you surfed wasn't meant to be public so now you go to jail?
Yes, because putting a very small number of people in prison for a couple of years is the same as a series of wars that lasted three centuries in which millions of people died.
Prison doesn't work. It is expensive. Yet the US has the highest documented rate of imprisonment in the world.
It's going to cost approx $40,000 per year to keep this non-violent criminal off the streets. (From Wikipedia, California state prison, 2008)
The US should probably consider not putting people into prison unless they are violent offenders, or unless they are repeat offenders. (But even for repeat offenders it's probably cheaper to work out why they're offending and put something in place to stop that.)
What a horribly screwed up system that seeks maximum penalty for a guy who wanted the public to be able to see the research they actually pay for but charge rapists as juveniles as if rape is less evil if you're less than 18 when you commit it.
If you are referring to Swartz, no one sought anywhere near the maximum penalty. If are referring to weev, none of his actions had anything to do with making public funded research available to the public.
There is significant research into the culpability of minors. There have been significant steps taken by the Supreme Court to limit and restrict the prosecution of minors because of fundamental research into neurological development and youths' ability to make proper judgements.
What those guys did was reprehensible and they should be in jail. No questions asked.
But we have two separate penal systems in this country: one for juveniles and one for adults. The adult penal system uses harsher punishments than the juvenile one.
You simply cannot compare the sentence handed down in both of these cases, because they are happening under two effectively different penal systems.
For ANOTHER thing, the actual sentences handed down by the judge in the Steubenville rape trial where that they are remanded to the state juvenile detention facility for at least one year (for the one who only participated in the rape) and for at least two years (for the one who also sent around the pictures). At most, they will stay in such a facility until they are 21. In addition, these two must also register as sex offenders for the rest of their lives, effectively giving them life-long parole.
So, when we are talking about Aaron Swartz, everyone quotes the maximum penalty he could have faced, even though it was almost impossible he ever would have received such a sentence. But in the case of these two rapists, everyone is saying they only got one or two years. The fact is, when you want to say punishment is potentially harsh, you quote the maximum, but when you want to say it is weak, you quote the minimum. Make up your mind.
Again, I'm not trying to defend those two guys. I'm making the point that you cannot compare juvenile and adult sentences. Perhaps question whether or not these two should have been tried as adults, sure, but then there are many who would argue that that is overly aggressive prosecutorial action[1].
I think there's a strong case for less culpability for children. If a 5 year old (EDIT: "accidentally" not intended here) rapes or kills someone, that's a different crime than if an adult does it.
But, 18 shouldn't be the dividing line for responsibility.
Maybe it's a function of gettin older, but it feels that my country (and as a sort of extension the English speaking West) has begun to tire of the effort.
We have marched, protested, voted and won. Human rights, gay rights, pollution and justice. But it took effort and now the injustices are less obvious, are not next door but a long way away, and so it seems we can stop and rest. But injustice is like entropy - it never rests and so we let the torture be done in our name, we don't mind that the youth of the country are given sentences for looting longer than murderers, we don't shout that companies who leave their virtual doors unlocked should not be upset i they find people inside the building
It's right we should be upset, should write our MP should protest the wrongs - but it just seems lacking
I used to think that the USA had a written condition and so would always defend these things - but it seems that if we stop caring then we stop fighting for the spirit of the law and disappear up out own bottoms arguing over the letter of the amendment.
> We have marched, protested, voted and won. Human rights, gay rights, pollution and justice.
This is not true by any stretch. Human rights have been and are continually violated, esp. for minority groups, mainstream gay rights has become assimilationist and has abandoned the LBTQ of LGBTQ, and pollution abuses continue and many of those abuses moved overseas as perpetrating corps. went for cheaper labor.
> But it took effort and now the injustices are less obvious, are not next door but a long way away, and so it seems we can stop and rest.
The injustices are next door, they happen every day. The root causes of issues have not been addressed and classism, racism, sexism, and capitalist patriarchy are as much of a part of western society as ever.
> But injustice is like entropy - it never rests and so we let the torture be done in our name, we don't mind that the youth of the country are given sentences for looting longer than murderers, we don't shout that companies who leave their virtual doors unlocked should not be upset i they find people inside the building
It should be noted that people have tolerated and/or endorsed this kind of structural dysfunction for a long time and continue to do so. But you are right in that injustice is systemic and will continue even if people feel hopeless or tired of fighting that injustice.
As more and more of those who were overtly disciminated against become assimilated, those who are still facing overt discimination are considered to be at the "extreme", unfortunately, and are considered "less deserving" of equal rights. Those who face subtle discrimination are unaware and/or tired. Pollution abuses continue. . .some still occur here, but the most severe ones are not in the middle- and upper-class neighborhood, so might as well be non-existent. And many of us don't view ourselves as global citizens so virtually anything occurring overseas is ignored or denied.
For context, this guy used to be part of the GNAA. They don't care at all about exposing security holes. His goal probably wasn't to cause some sort of security improvement. Yeah, the punishment was harsh, but this guy isn't exactly a folk hero.
Sure, but that's a question for the legislature, of course.
Courts are going to give deference to the policy choices of what crimes deserve what punishments.
They hit him with the maximum sentence, not the minimum -- this one's on the courts. If it was a case of someone going away for 10 years for shoplifting because of 3 strikes, then that's on the legislature.
No it isn't
The minimum/maximums are legislatively defined (In this case, through the US sentencing guidelines, which came through the Sentencing act of 1984)
If they didn't want the maximum to be the maximum, they shouldn't have put it in the range?
For the most part, the actual calculation is mechanical. Unless the judge performed an upward departure (which i can't find any evidence of), he was just following the guidelines.
You must be very new on this Earth if you think it actually doesn't matter who the defendant is and how he behaves. Motives matter, so does evaluation of the probability that the crime will be repeated in the future. weev did everything to show he intended to harm AT&T and his only regret is that he didn't harm them more. That's not exactly a way to get lenient sentence.
He didn't intend to harm AT&T; they discussed selling the URLs or shorting the stock, that would amount to harm, but they didn't do it in the end, so his intent is pretty obvious.
If I was dealing with such dickheads as the AT&T and the US prosecutors, my "last" wish would be to harm them more, too.
Edit: typo, changed "with" into "wish" in the last paragraph.
Shorting stock doesn't harm AT&T, it harms the shareholders.
>>>> If I was dealing with such dickheads as the AT&T and the US prosecutors, my "last" wish would be to harm them more, too.
Then you'd be no smarter than Auernheimer, and I sincerely hope you don't behave as stupidly as he did, or you inevitably would land in jail too. It usually doesn't go well for people that try to harm others and publicly admit it. At least Auernheimer didn't publicly proclaim his desire to harm prosecutors too, that'd be an nice cherry on top of this cake of self-destruction.
Prosecuted and convicted at all? Whilst I recognise there is a lot of backstory here and a lot of anti weev feeling if the case is as simple as AT&T kept private records behind the worst security imaginable - the equivalent of putting a unlocked filing cabinet on the street and moaning people rifled through it - then his criminality should be IMO the equivalent of someone who we t through that filing cabinet and took the files to a journo to show how crap their security was
If there is something else to it (as opposed to him or he is repeatedly trying to get AT&T) then I would of course like to knwo
If you are driving down the street, and notice that I put the deadbolt onto my house backwards (so that it locked from the outside), is the appropriate thing to do to let yourself in and walk around looking at all my stuff and then call the local news station and invite them in along with you, or is it to call the police or leave me a note letting me know I've got a problem?
I think a more useful analogy is this: there's a large municipal building in town that stores a lot of its citizen's vital records, and they've been slipshod on security. You gather evidence about just how slipshod they've been and turn it over to a journalist.
Conflating what weev did to someone walking around inside your house brings in too many emotional triggers about private property. He wasn't in someone's house, he was trying to demonstrate that the company you hired to keep your private property was doing a crappy job at it.
EDIT: Okay, yes, he was probably just trying to be an ass but fortunately that's not a crime.
You don't "gather the evidence", you rather take the records for 100,000 citizens, put them on a truck and dump them in the frontyard for a local newspaper, after considering how much you could sell it for and deciding it's probably more fun to just cause public embarrassment. If you wanted just to show the system is insecure, 2 records would be enough. Stealing 100K of them is not something you do if your goal is just "gathering the evidence".
There's definitely a "being an ass" component to this, no doubt... but one could argue that presenting two records to a journalist implies a small security hole. 100k of them is a giant security hole.
That's like saying just showing remote root exploit with "id" command is a small security hole, but copying the whole file server is a big one. Any journalist knowing anything about security knows that access matters, not how much is physically copied. And any that doesn't know it but has a functioning brain can understand it in under 30 seconds. I don't buy it, journalists are more than capable to make big conclusions from small evidence, they don't need much help in that.
Yah, except for the part where he spends an extra 10 seconds explaining "here are 2 of hundreds of thousands, as an example".
The headline would be the same: "X Company exposes N Number of user accounts in discovered security hole". So do you see where that doesn't make any sense?
edit: agree with you @drhayes9, just responding to the OP's assertion that the number mattered.
The restauranteurs were not informed about it; it went straight to the media and to the city health department. The restaurant was shut down later that day for health violations.
Has a crime been committed? Did the photographer have a moral, ethical, or legal duty to attempt to quietly inform the restaurant that they have a rat problem? Should the photographer have been prosecuted for interfering in the business operations of the restaurant? Suppose we know the photographer is an asshole. Does that change the calculus?
None. Notice that the photographer was OUTSIDE. He didn't remove any property from the restaurant. He did not physically enter the restaurant.
Part of the problem, and I think you'll agree with me on this, is that these metaphors breakdown because, when talking about information and systems, the notions of property are much more complicated. What if, for example, the photographer photographed a sheet of paper with 100 usernames and passwords to gmail accounts, or bank account records and then mailed it out for everyone to see?
He should probably have gone to the authorities first, not the media.
The sign is definitely copyrighted as a creative work, and some sort of argument based on competitive advantage would certainly be brought out in regards to why taking the photograph has wronged the restaurant owner. These things don't make constructive sense, they're just convenient to invoke when it's time to conjure up some justification for persecution of the undesirables. Fortunately for the photographer, that window is not a computer network and the average person understands that having rats in a restaurant is wrong.
You are right that the public understands rats in restaurants more than they understand insecure web apps.
But the public also understands that things visible through the front window of a business on a street are not private or secret. (And I know someone is itching to type that AT&T is just a window and they just served up exactly what Weev wanted, but I'm too tired to respond to such nonsense.)
"Bringing a serious problem to the public's attention" are not magic words that make someone's actions legal.
The only people who think weev's actions aren't illegal are people stuck thinking the laws make sense and trying to reconcile them with their morals. The real question is whether what he did is wrong, and if so, what level of punishment is appropriate.
I'd say that a list of email addresses isn't actually private information worthy of legal protection. We've just got these ridiculous laws calling widely-available datums "sensitive" because banks (et al) are trying to pretend that your "identity" is somehow being "stolen" rather than that they're simply being defrauded. So a simple trespass with questionable intent has been turned into a several year felony based on these toxic bits that aren't actually important enough to necessitate serious audits or redundant controls.
Frankly the highly fucked up part of these laws are the amount of time involved, both what defendants are pressured to plea bargain with, and the actual amounts that get sentenced. It's very easy to say that three years in a cage is reasonable from the comfort of your chair. We can debate what should be ultimately illegal etc, but with these kind of sentences we're basically talking about destroying someone's existing life for a non-violent action with minor damages that a different company wouldn't even press charges for.
But if you are a bank, commercially offering "secure" services for profit, and the deadbolt is on the outside, then any public outing is to be expected.
Really this is abou a lack of understanding of software and architecture by the entire public - imagine a bank had actually put a million Dollar safe up and had forgotten to put a lock on it - the competitors CEO would expect to be fired if he did not take the press and cameras around to have a good laugh
First-hand experience in my case. He and his GNAA attacked my volunteer-run open source project and did many things, including calling Child Protective Services (CPS) and making false complaints -- leading one of my volunteers and his children to have to undergo interviews with CPS to suss everything out.
They emailed one person's professors at university and made false, damaging claims. Bosses were tracked down and jobs were contacted. Parents were found and harassed. Our web site was attacked and taken offline. Our business associates were contacted and they concocted a fictitious business persona to file spurious complaints with our payment processors, leading to us being dropped from two providers.
weev was not just "being mean", he transcended that to stalking, bullying, and harassment. He caused emotional harm to my volunteers and staff and fiscal harm to my business. All in the name of "trolling".
And yes: we pursued the legal route. The FBI is just not super interested in tracking down some random dude on the Internet for harassing a small business. They were happy to talk to us and very compassionate and gave us some advice, but that was the extent of it.
I have no trouble believing that weev did those things and worse, and it is probably criminal behavior, and if so it should be punished. But that has nothing to do with what the gov't. has just done. Just as defense atty's want sympathetic defendants, prosecutors are happy to exploit the unsympathetic response that most people have to learning about weev's behavior. If we let them do it to weev, we are inviting them to do it to anyone, including yourself. The gov't has just expanded its power to jail people for what ought to never have been chargeable, and given that power to companies like AT&T. As it stands now, any company with the means to do so can use the state to jail you under similar circumstances. Even if you are a nice guy who saves stranded kittens from trees.
Well, previous behaviour has everything to do with sentencing. Seriously, they don't just look at the case and go "41 months!", they weigh everything up and go from there. The likelihood is a security researcher with a spotless past wouldn't have gone through it, prosecution would have pushed for a hard sentence of course but the final judgement takes into account everything.
Basically, the prosecution wanted a harsh sentence to set precedent and weev gave them the ammo to do it.
That sort of behavior is disgusting. There are questions about the CFAA, and rightfully so. But on one level, I am 100% fine with this asshole being in jail.
Isn't that the whole problem though, that the CFAA is being used to put assholes and activists in jail? If he got arrested for fake calls to CPS or something, I could agree with it perhaps, but I'm not at all comfortable with him going to jail for bullshit reasons.
That's very true, but some of the smaller sub reddits are also vile.
Justiceporn (people getting their come uppance) and cringe (originally things that made you cringe in sympathy, but latterly videos of socially awkward youth that Reddit could bully and mock) are two examples, but there are others.
Whether they've stated it publicly or not, I would imagine AT&T's main contention with weev is that he released the information publicly (to Gawker) without attempting to disclose the information to them first (please correct me if he did and I've overlooked that). Nonetheless, if he were to have gone to AT&T first I don't think there's anything that could have stopped AT&T from accusing him of hacking and pressing charges anyway since that wouldn't have changed the way he went about discovering the issue. That's scary. Even this particular case aside, how is a person supposed to ethically disclose an exploit to an organization without fear of prosecution?
That's my impression of the case as well. Whether or not AT&T would've continued to press charges is a worthless thought exercise. History seems to have shown if you make a good faith effort to keep the company in the loop, things turn out OK, and you at least remain sympathetic should they not.
I hope so too, but Julian Heicklen and others have already been charged with "jury tampering" and other such made up crimes simply for trying to inform others about jury nullification.
Juries are not supposed to be rubber-stamps for the government and I'd urge anybody who is going to serve on a jury to learn about their rights and responsibilities before going.
If you think a non-violent person being charged in a marijuana possession case or other non-crime doesn't merit locking up, throw a wrench into the corrupt system and vote not guilty.
Do you honestly think there was anyone on the jury that understood what he did, and wasn't just taking the persecutor's modern-witch hysteria as fact? That "jury of your peers" thing fell by the wayside a long time ago.
it's ridiculous how a single, cohesive act can be broken apart into individual charges which each has its own punishment independent of the others. it's like sentencing someone for murder to 10 years in prison and another 3 years because the person used an illegally acquired weapon to do it.
You are also conflating the issue of sentencing with the issue of charging.
The charging/conviction part is actually relatively sane.
You can be charged of things you cannot be simultaneously convicted of.
You can be convicted of anything that is not a lesser included offense of something else.
IE you could be charged with manslaughter and murder of the same person, but not convicted of both, because manslaughter is a lesser included offense of murder.
As for the federal sentencing guidelines, they were created to standardize what was previously a complete crapshoot. Rightly or wrongly, they were at least based on real data.
They give guideline ranges based on an offense level and criminal history.
The offense level is determined based on the crime plus any enhancements.
So yes, you may start out at offense level 23 for murder, and then add 4 more levels because you used an illegally acquire weapon to do it.
However, this is still the sentence for murder, not for the illegally acquired weapon (and note that if the illegally acquired weapon is used as a sentence enhancement, the facts must be proven to the jury)
Most of the time time they do have multiple charges with murder, especially if the gun is illegally acquired. Whether or not the sentences for multiple convictions are concurrent or end-to-end may be the sentencing judge's discretion, not sure.
One act can certainly have multiple consequences, driving a stolen car through a mall mowing down people and kiosks would entail a lot of charges, even though it would be a "single cohesive act".
That said, I'm not sure about the hacking rule, and I don't know the full details of the 1986 law they are prosecuting under, and whether it has been amended or what amending it needs.
I wonder if he's going to become a modern Ned Kelly. I'd hope not, I'm sure there's better folk heroes for us.
He remained unrepentant, he said next time he'd go the harsher route, rather than detecting the flaw and reporting it they'd made sure to collate a lot of information from the leak and according to weev reported it before approaching Gawker.
I think the sentence is out of line with his crime, but he was never going to get a slap on the wrist and told to go his merry way. They've probably done their homework and found he's been up to merry hijinks with computers for longer than most people have known how to email.
Maybe slightly cynically of me I wonder if this his act of ultimate trolling, to force the courts to go for a harsh sentencing and to get a wave of sympathy that leads to people DDoSing .gov pages.
I think the thing that doesn't sit right about this is that he accessed the data with entirely ordinary means, but it's called "access without authorization" simply because the company didn't want him to have it.
If a company accidentally puts a link on their homepage to private info (say, with a typo) and users click on the link and read the page contents, are the then violating the CFAA because they should have known that the company didn't intend for them to view that information?
If you get naked in front of a window visible from the street, you can't get mad that someone saw you.
Probably because they were the ones who royally screwed up in the first place, disclosing tons of customer details to literally anyone who wanted it (including automatic web spiders), and nobody from AT&T is going to spend a day in jail or pay restitution for that.
Precisely that. Sure, he made a mistake, but so did AT&T, and now because of it he's potentially going to spend 41 months of his life in jail. Life is too short as it is.
I can see where you're coming from saying something like that... But it is a mistake in my eyes. It was an unwise decision that he probably would not have made had he known he faced 3+ years in prison.
That being said, this guy is obviously not a saint. I don't want to sound like I'm defending his affiliation with GNAA or the fact that he went to Gawker with it.
If it had been someone who gives to community, is polite, and respectful, and instead had gone to the NYT or another publication, they still could lose 3+ years of their life. To a mistake.
Yeah, he banged on the keyboard and made a typo and accidentally fell into a 100K of AT&T user records, and then he turned and these records stuck to him and then when he was trying to get rid of them they accidentally fell on Gawker. That's how it happened, judge, and if you don't believe it you must be bought by AT&T.
The wording of popular news outlets like [0] really casts a doubt on their work in other areas too. If this is journalism in a reputed company, then how can we expect an impartial and honest media?
I keep seeing posts referencing that his actions were "technically trivial." How does anyone propose we write or enforce legislation based on that criteria?
How about, for unauthorised access to have occurred, the data accessed must have been 'secured', with 'secured' defined according to industry practices.
If I told a client that I had 'secured' their website, but access was available by incrementing an integer, they could sue me and they would win.
Cruel and unusual punishment, again prison for non-violent crime (non repeat). We are definitely backwards and feudal in this aspect. Non-violent crime resulting in prison time is a net loss for everyone and everything involved except private prisons. Everyone loses in this situation. Do you want to pay for this guy to sit in prison with your tax dollars?
What would have happened if they jailed Woz + Jobs back in the blue box days?
If you want to get technical, accessing the records in the first place is the crime. All the rest is just demonstrating the intent and the public interest in prosecuting him.
3.5 years for accessing public urls and then forwarding the information on to a media organisation (yes I know it's Gawker, but still). Makes me wonder what Aaron would have got if he'd gone to trial.
Would Swartz have done an AMA the night before sentencing where he would state that his only regret was that he had not harmed enough people, and promise next time to do more harm, and then have the prosecutors bring that AMA to the attention of the judge at sentencing, likely causing the judge to opt for a much longer sentence than he would have otherwise given?
Normally you pick the most compassionate defendant (like they did in Heller in DC) for a test case. Weev is probably the least sympathetic defendant. But I guess you go to war with the weev you have, not the aaronsw you wanted.