This is really important to those of us in the infosec industry. A criminal sentence for changing a parameter in a GET tag is not appropriate. I wonder whether blocking tracking cookies could also be considered unauthorized modification.
Unfortunately there's huge incentive for companies with a public reputation to make this sound like the work of evil hackers rather than their own unwillingness to perform basic security protection on their public-facing services. Money on lawyers and PR are only spent when there's a known threat whereas preventative security is successful when nothing happens.
shows intent to gain access that you were obviously not authorized for, even if you immediately report what you find.
Wasn't it ruled that accessing stuff that you aren't authorized to that is publicly (within a company) accessible to all on a shared drive violates the CFAA because you are exceeding your authorization?
What if someone makes a typo entering their SSN in the form that leads to this page, are they also a hacker? By your definition, they would be.
If your data is on the internet and not secured, it is being scraped by robots constantly for a start, some of which might iterate counters, so some responsibility lies with those who maintain the website. There isn't a clear line like the threshold of a dwelling we can point to, because it's not always clear which urls are authorised for a user and which are not. Ultimately you're not going to stop the curious, and bots, from scraping the web, so if there are no access controls on your payroll you can expect data to leak, even if you come down hard on every single person you find accessing it without authorisation.
I think the emphasis here should be on intent, as shown by the data taken, and what was done with it, not on trying public urls. If someone shows intent to steal information by changing urls, then downloads the info, then uses it for identity theft or sells it on, that's clearly a crime, and unless they have mitigating circumstances, perhaps it deserves a fine or a very short jail sentence for serious cases. I do think the sentences today are excessive for this sort of activity.
If they simply access a URL as you propose above, I don't think you can show intent. Even if they access several urls, was their intent to explore, or to steal information, or did they just follow a bad set of links or make a mistake with their web crawler?
You've missed the point. Making a typo and accessing the page once with the wrong SSN using the submit buttons on the web page provided has absolutely no intent.
Using an automated script bypassing the webform to cycle through as many as possible clearly shows intent to access something you're not supposed to.
People don't just access urls at random, they will never type a url with query strings into the browser.
They click links or submit forms.
Someone pen testing a website will be deliberately circumventing those methods.
It's like running wireshark on a public unsecured network, there's likely no good reason for you to be doing it and you know what you're doing if you're running that tool.
That's intent.
Note: I'm personally very pleased that they're fighting this. Just wanted to clarify what they mean by intent.
"It's like running wireshark on a public unsecured network, there's likely no good reason for you to be doing it and you know what you're doing if you're running that tool."
I for one don't really see what the issue with that is.
If you plug into an internet gloryhole whose infrastructure you don't control or trust, well, that's on you.
Running wireshark only shows packets that are delivered to your network interfaces. If people didn't want you to have that data, why did they route it directly into your computer's network port?
Using tcpdump after setting your wireless card into promiscuous mode will store all packets going over the air nearby. So, wireshark can easily be used to view tye contents of traffic that was not routed to your machine.
People set up radios and broadcast data completely indiscriminately? I would argue that is like yelling a conversation and then being shocked that people might overhear you. (Also it only gets certain packets depending on what network you're joined to, what channel you're listening on, etc.)
I agree about the yelling part. But, to clarify, you don't have to join a network, and you can always scan channels. Although chances are that most people around (e.g., at a coffe shop or airport) are broadcasting on a specific channel.
I disagree visiting a link, or links, is enough to give you intent, it's just not enough information, is too similar to normal web activity and would mean the potential criminalisation of all sorts of innocent activity.
What kind of intent do they have to prove? That he intended use this method to see if could access the information or that he intended to gather the information for other purposes?
They have to prove the criminal intent behind the CFAA. They have to prove that you knew you shouldn't have access to the data; that you in effect deliberately lied to the computer. They have to make their case on both mens rea and actus reus.
Not every criminal statute works that way (there are "strict liability crimes", like statury rape), but most do.
Does it? Maybe it shows intent to see what kind of fancy 403 page payroll.example.com is employing?
I think one of the reasons people (including me) have problems with penalizing GET parameter change is that they are obviously visible and trivial to change. They are a part of URL and pretty much designed to be modified by hand. Growing up on the Internet we learned that if we want to see e.g. the next page of the gallery or board, we don't have to look for "next" button. We just change /0/ to /1/, or ?start=100 to ?start=150 in the address bar and press ENTER. It's easier. It's quicker. It's more natural. I can't feel that there's anything wrong with changing a GET parameter. It doesn't register on an emotional level.
My personal feelings are that on the Internet you're supposed to use HTTP codes like 403 or 404 to mark places user is denied to access. IMO the space of legally accessible addresses for given user should be defined by a superspace of all URLs that return 200 Ok when that user tries to access them. If you screw up and serve sensitive data without proper access check, it should be your (legal) responsibility, not the person's who (accidentally or not) discovers this.
Just because you're used to it, and because you find it easy and natural doesn't mean it is or should be legal.
There are people who, upon seeing the good laid out in a shop, will find it easy and natural to just pick it up and walk out. They find it easy and natural. It's right there.
I'd analogise it to an open book in a public space. The information is there for you to see when you walk up to it, and you have to interact with it (turning the page) to see the other information. On being caught turning the pages on the book, you get yelled at and imprisoned, despite your contention that it's the book owner's fault for not making sure turning pages was prevented.
So what about looking at files in a hospital? Nothing wrong with that right? No-one can say anything bad about writing "Mr. Walsh had his testicles removed!" in the local paper. Right?!
This is the flaw with the analogy, as with all analogies that try to map meatspace to the internet. It would probably make sense to say that the book has been left in an apparently public space.
I was referring the "wondering if blocking tracking cookies" question. I don't have a problem with criminalizing attempts to pull up random people by their SSN.
> I don't have a problem with criminalizing
> attempts to pull up random people by their
> SSN.
If I see that the URL contains my SSN, and want to investigate if they were stupid enough to have this as a security hole, what are my options?
You seem to say that if I pull up the page of someone else, I am immediately a criminal and need to go to jail.
Should I instead report the possible issue to the company? Will they actually take, "I see that SSN is in the URL and that might be security hole, but I don't know for sure because I haven't attempted to try it," seriously? Hopefully they would, but I find that hope to be way more optimistic than the 'real world' should get credit for.
You don't get to break into a bank because you want to see if you can exploit a security hole.
What you're talking about is more akin to wiggling the bank's door handle and then leaving. What weev did is break in, steal a bunch of documents, and then talk about selling them.
"Breaking in" suggests that there is access control (locks, doors, walls, etc) in place.
ATT admitted in court to publishing this data on the web. Emitting email addresses in response to ICCIDs was a specific feature they explicitly implemented to reduce the number of steps required to resubscribe to service, not a "security hole".
Your physical analogy is inappropriate, and serves to frame his actions as criminal when they are clearly not.
> "Breaking in" suggests that there is access control (locks, doors, walls, etc) in place.
No, it doesn't. See, this is what happens when you start talking about crimes on the internet when you really shouldn't be. If I leave all my doors and windows opened, or if I put a box of valuables in the middle of an empty lot that I own, it doesn't suddenly make it legal for people to steal from me.
AT&T leaving their doors and windows open does not suddenly authorize any ol' grody troll to walk in and take personal information.
Whether you like it or not, his crime will be made into a physical analogy.
AT&T left a box of valuables in the middle of a lot they own, and weev walked by and grabbed them. Problem is, they weren't AT&T's valuables, they were mine and yours and 100,000 other peoples who'd entrusted AT&T with them.
Now who's "the bad guy"? Who's the more culpable "criminal"? WHo would we be holding to account if it were a bank who'd piled up the cash from 100,000 people's savings accounts into a building with all its doors and windows open?
Sure, what weev did was wrong. I don't think it was the _only_ wrong done here, or possibly even the "worst" wrong.
I think that's fair. AT&T should be reprimanded for a serious lack of security — how much they should be reprimanded would be another topic for debate.
But it doesn't take away from weev's crime (both this one and his previous harassments.)
Sorry for your distorted reality. You're saying that everyone who accesses unsecured information on a badly secured server gets reprimanded. You're placing the onus of security on the user which makes your point pure BS.
On the other hand, when AT&T leaves its doors and windows open 'in the web' they get a free pass from the general public because the technical aspect is lost on them.
If a bank used someone's first and last name as the 'access control' to their money, sure someone breaking in and stealing things is wrong, but should the bank be punished for negligence? Probably. When companies have security breaches 'on a computer' why is this different? Why the free pass? Why is the person that 'broke in,' or that that pointed out the flaw without breaking in the bad guy? Why aren't the companies themselves held to task for creating shoddy controls, and not following best practices when it comes to computer security?
A better example to demonstrate what's going on to the public would be to have a web form that says "Enter your SSN#" and a submit button. People understand that. Changing the terms in the URL bar is voodoo to many people, and this unfortunately leads to the belief that someone exercised nefarious skills to pull off an attack.
Is more like if you wrote out your customers personal data in a book left nailed to a front door that opens onto a public street and then tried to criminalise anyone who looked at pages that weren't relevant to them.
This is somewhat reasonable, since people need to actually come onto your property to access the book. It's probably unreasonable to say that someone was trespassing because they walked up to your door.
No they don't, the door opens onto a public street and the book is nailed to the front of it. This hypothetical book can be read while standing on the sidewalk. Sorry for not being more clear.
sneak said: "Breaking in" suggests that there is access control (locks, doors, walls, etc) in place.
ceol said: No, it doesn't.
I say: Yes it does. Your house has walls and probably a picket fence too. Either one is a boundary. The keyword here is "boundary" and not "locks". Having people's info waiting behind a serial number is not a "boundary" but rather a key-value pair accessible from the public domain. Your house is not accessible from the public domain because you have boundaries. Your servers are accessible from the public domain because you specifically have to put them online and make them accessible. Once you make servers accessible from the public domain then it is your responsibility to safeguard the privacy of what you put there. Weev did not DDoS the servers or inject SQL into their code. He accessed public info. Similarly if you put public info about you on facebook then it is not a security breach if I go there and check it out.
Physical analogies do not work regarding the internet. What happened is like he was given an address, he drove to it in a van, and a screen showed him his email. Then, he extrapolated that the buildings in the block he went to would do something similar, so he drove around to them in a car labeled 'VAN' and they showed emails.
First, you don't actually have the right to conduct security testing on third party servers. Nor should you. Real application security testing is disruptive, and in authorized tests, companies often take pains to ensure that testers aren't exposed to real user data.
Second, if you poke around to confirm the security or insecurity of an application, immediately report results to the target, and comply with requests for information, you may be civilly liable for damages (which it's unlikely anyone would pursue, given the PR implications) but are probably not violating the CFAA even as it's written today (that is: badly).
What is your plan to hold companies to task then? Especially when you can't confirm that your suspicions are correct?
Responsible disclosure? Say that you disclose your concerns to them. How does that play out?
1. They respond to you. They say that it is not a security flaw. You just have to trust them that there is not security flaw.
2. They respond to you, and tell you that they will not fix it. You tell them that if they won't then you'll disclose it to the public. They try to claim that you are extorting them.
3. They don't respond to you. You disclose it to the public. Turns out that it wasn't a security flaw. You are sued for defamation/libel/etc.
4. They don't respond to you. You disclose it to the public. The company has egg on their face and fixes it.
I think that the biggest flaw in the system is that companies are not held to task for their security flaws. I realize that if all software had to be perfect it would cripple the industry, but at the same time there has to be some idea of criminal (or at least civilly liable) negligence for people/companies that don't at least follow best practices.
I don't think random strangers on the Internet conducting unauthorized testing are really making much of a difference either way, so the prospect of changing how much of that goes on doesn't really factor in for me.
What if you are not a random stranger but someone whose information they hold and may be improperly securing?
The best way may be to get another user to allow you to try entering their social security number to see what happens. I don't see that the company could have any issue in that case.
If you're asking, do I think people who do independent unauthorized security testing of applications to protect their own information make a big difference in the real world, my guess is "no".
My response was poor because I was responding to your post 'random internet user' and also your ancestor post about the right to do basic independent unauthorized security testing without being clear. I think I objected to the characterization of the people with something to lose as "random internet users" which I inferred from your posts and you may not have stated.
Having said that I have certainly read of a number of cases where a difference has been made although it may not be a big difference to the overall world.
And while manually fiddling a couple of URL parameters would seem to me a valid sanity check of the service you were using I don't think that would give you the right to run nmap against their servers looking for vulnerabilities or running an automated fuzzing of the URL parameters or crawling the returned results.
This does not mean that I think the crimes with which Weev was charged or the sentence is remotely appropriate. From what I have read he may deserve to be in jail (mostly for harassment, threats and blackmail) but that is what he should be charged with not this AT&T case. Given that he eventually handed the data over to a journalist I would give him a lighter sentence (if any and I was judge/jury) than I would give to AT&T (if it was in the UK and I was the Information Commisioner). I don't know of any data protection requirements in the US (for non-health data) so they may not actually have been criminal but they certainly were negligent.
First, that's not unauthorized testing. Bug bounty programs attract better, more talented testers, because they're compensated and (just as importantly) because they take much of the risk out of testing 3rd party services (a company that offers a bug bounty will have a hard time freaking out about bugs when they're reported).
Second, the companies that offer bug bounties tend to be ones that often spend well into 7-8 figures on security already.
If you can access your own record without authentication shouldn't that be good enough proof? Why do you need to access everyone else's information illegally to prove that your own is available without proper controls in place?
Could we not turn that objection around to say we'd like to see implementations that allow exposure of random people's payroll data by typo-ed/bit-rotted/guessed SSNs should be criminalized?
In my head, this is related to the "expectation of privacy in public" and "ubiquitous surveillance" arguments. If somebody makes available on the public internet, a system that reveals my payroll data "secured" only by an enumerable/guessable SSN - while an attacker exploiting that vulnerability is "in the wrong", so too in my opinion is the developer/management/company who deployed that system.
It seems to me that AT&T should be being held to account for their actions at least as much as weev is. If the data weev acquired was worth prosecuting over, then AT&T need to be considered culpable/negligent for it's exposure.
I have no problem with attaching penalties, perhaps even criminal ones, to negligence on the part of people deploying apps, too. I don't see why it has to be one or the other.
Incidentally: I have literally no opinion about the Auernheimer case, so don't read anything into these comments.
This is absurd. If there's no access controls, but it's still a crime, we're going to have to determine if we can legally access all web addresses beforehand. But that's what 403 status codes are for.
The same thing happens in real life all the time. We're supposed to use our brains and make ethical decisions on our own, not simply rely completely on technical safeguards to clue us into proper behavior.
What he did was unethical. But the idea that connecting to a URL you changed on a hunch could ever be a felony is outrageous.
Imagine if it had been comics published online. Because the server refuses to interact with your Chrome browser, you tell the website you are an IE. Because the "next" button is small, you use keyboard shortcuts to change the URL and view the next one. Without realizing it, you view a handful that weren't released yet. That's now a felony with a court precedent.
Why does it have to be binary with all you guys? :P
I didn't say weev deserved a felony conviction. I said he dun goofed, as a counterpoint to what many here are saying, that because the API he accessed was unauthenticated, it meant he did nothing wrong. That argument's completely bogus as well, just as much as a 2 year prison sentence for this is bogus.
I don't think what he did is ethical and I would be happy to see him jailed for an actual crime.
But talking to a webserver isn't like entering a house. It's like making a phone call. "Hi.. my name is Firef--, I mean, Mobile Safari. Can I have your email?"
I think creating a precedent for prosecution when accessing a number of web pages after spoofing a header is far, far worse than making an example of a troll that exploited a loophole to grab information that he shouldn't have. When talking to a webserver, without a clear separation between public and private with something like an API key or username/password, the only possible convictions we should allow is over DoS and that is only if there is malicious intent.
> the only possible convictions we should allow is over DoS and that is only if there is malicious intent.
What's 'malicious intent'? Is it what the 'reasonable person' decides it is? If so I don't see how what you're proposing is significantly different from what I've been saying.
Likewise a DoS is not the worst possible thing you could do to a website with an unauthenticated API. Why do you carve open an exception for DoS but not for e.g. identity theft or doxxing?
Unfortunately, "reasonable person" varies with the times. In Nazi Germany, a "reasonable person" would have understood that the reason they lost WW1 was due to the Jews. /godwin
[I also take issue with usage of the term 'common sense' because it is so nebulous.]
"Reasonable person" varying with the times is actually kind of the point though.
Laws exist to inform the actions of people, not computers. I think that's lost on people of our expertise sometimes when we start to seriously envision a world where there is no ambiguity whatsoever for a given action.
But we've already seen a world like that: It's called 'zero tolerance' just as we see at schools in the U.S. and it's been, on the whole, a disaster.
Anything other than zero tolerance or full tolerance leaves room for interpretation, no matter how much you try to pin it down. At least with 'reasonable person' tests we know that ahead of time.
While 'zero tolerance' is a disaster, I really don't like the law being too open-ended, because then I can never be certain how my actions will be interpreted in light of the law.
You're right, but unless you're both a lawyer and a genius then the cold hard facts are that you really can't ever be certain how your actions will be interpreted in light of the entire law.
I used to think this was an issue with the law, that we need to take out loopholes and corner cases. But in the process of specifying allowable and unallowable behavior you make the law so expansive that it can never be grokked.
By making the law simple, you make it fuzzy and now we're back into your problem.
I would blame the lawyers and legislators, but honestly I have extremely simple programs that I can't actually predict the behavior of, and the computer does exactly what I tell it to.
I don't say this to say that we shouldn't fix the law, only that I think at some point you (the royal you) have to come to grips with "c'est la vie" and just not worry as much. Either way you can't completely win, so why fret over what you can't control?
The problem is that criminals are free to harvest data thanks to insecure programming, while white-hat hackers are banned from discovering these vulnerabilities (hopefully) before they are exploited.
So what about denial of service attacks going against just the public unauthenticated API?
Just because AT&T does a boneheaded security implementation for which they deserve sanction, does not entitle weev or anyone else to go beyond ethical boundaries in discovering (and in weev's case, abusing) that security lapse.
To some extent, I disagree. It can set a pretty high de facto bar especially for the independent researcher. Sure, eventually -- if the world and the court you land in are a fair and decent place -- you may be absolved. But you may spend a lot of time and money getting to that point.
Facing what appears to be frequently very if not overly aggressive government prosecution, and/or private prosecution (so far, civil -- although see e.g. privately driven criminal prosecutions in the U.K.) by very well funded, perhaps overwhelmingly funded legal teams motivated by parties who as often as not seem to want to bury any and all bad publicity while discouraging any efforts that might -- even when justifiably -- dig it up...
I guess I view the top level Internet IP address space as a public space. If you can't put onto and manage your resources on it in a responsible and secure fashion, you deserve what you get.
Going from memory, as I understand it, there was no "subverting an authentication system", here. He merely iterated a public parameter. Granted, he apparently stepped through a lot of iterations, but a script can do that, even inadvertently, as IIRC was alleged to have occurred in this instance.
Ultimately, he didn't sell or otherwise misuse the resulting data. My personal inclination would be to argue that at a minimum, benefit of the doubt should mitigate against a felony-level conviction.
Also personally, my own dealings with AT&T have left me with absolutely no sympathy for them. The SBC culture from which their senior management devolves I have found to be atrocious.
They should spend less time looking for scapegoats to fry and wave in front of the next person to find one of their shortcomings, and instead "man up" and fix their own processes and systems.
Finally, in many such cases, it does seem to be the individual who is finding these problems and therefore causing them to be fixed. As the holder of online accounts and data, I don't want to abandon that field to some combination of lackadaisical corporate process along with un-prosecutable malicious entities in Eastern Europe, China, or wherever.
I know you're the expert in this field. And I don't mean to disrespect your work nor your commitment to excellence. Nonetheless, my own not insignificant experience has shown me repeatedly and taught me how, absent independent pressure, entities often don't get around to fixing such problems and can actually create de facto strong internal disincentives to doing so. I've seen this, repeatedly and at many organizations including very large and successful multi-national firms, myself.
I've seen it from the inside, where I've had to take damage and career risks in order to get things addressed. Even as a well-meaning employee of an organization with such a problem, I worry what "doing the right thing" may cost me.
We are increasingly forced to rely on them -- banking records, medical records, etc., etc. The onus should be on them -- to get this right. If nothing else, I can argue that economically it is they who can afford the risk (that is, the responsibility and cost of pro-actively mitigating it). And that should be a factor that is considered when determining where the balance in the law rests.
One argument that I've seen made, is that European credit and debit cards have chip and pin because the European banks bore a greater risk for and cost of fraud. Economic incentives can be an important factor in creating and maintaining security. Criminal risks can be, as well, but perhaps in a different fashion than we are talking about for this case. For both the economic and the criminal liability, the weight needs to rest more heavily on the parties blatantly leaving personal data vulnerable.
Such entities seem to demand ever more of the resources society has at hand -- financial, legal, etc. They should bear the responsibility, along with this. If one guy and his laptop can catch them out, and particularly if he's not doing evil with the results, well, then, shame on them. Stop focusing so much on "the hacker".
I kind of got the impression that Weev getting sent up for identity fraud was a lot like Al Capone getting it for tax evasion. Which is to say, he was a sadistic monster of a troll who delighted in ruining people's lives, but he was cunning enough to never quite cross the criminal-harassment line with anyone brave enough to press charges, so they got him on this instead.
It's a rotten precedent, and I can't really blame anyone for opposing it on principle, but let's do remember that Weev himself is not any kind of hero.
It's what's called a trumped-up charge, or Kangaroo Court. This kind of thing happens to unsympathetic defendants like Weev first. Then later it can happen to anyone who gets in the way.
I blame anyone for not opposing it on principle. If you're ok with some trumped up bullshit because you don't like the person, fuck you (not aimed at your personally).
I'm okay with it. Weev is the type of guy I wish was behind bars. He's a stain with no redeeming qualities that I can tell. He takes a lot of joy in causing people pain, and many peoples lives are better with him behind bars. So I don't really care if it's for wire fraud or tax evasion.
I owe someone else on HN for introducing me to this quote:
"The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all." —H. L. Mencken
I think that people who employ your kind of cowboy-film morality on suspension of rights for those they dislike to be complete scumbags.
I'd still want you to have a fair hearing if you ended up in the shit however, as I hold the quaint notion that the criminal justice system should at least attempt to be more than a popularity contest if it wants to retain any kind of legitimacy.
Well someday we'll get CFAA reform... but even then I'm convinced that weev in particular would still have run afoul of it in this case (though presumably a misdemeanor variant of it).
Security researchers in general wouldn't run afoul of even the current version IMO, though it's certainly prudent for security researches to re-emphasize how key some of those techniques are for them, so that we don't end up in a surreal situation where even altering a URL, cookie, etc. one time would subject one to conviction under CFAA.
What the current version means depends on how it works out in prosecutions. If weev is prosecuted, normal security research is endangered.
That's the whole point of the Mencken quote squeak posted. Another favourite: "Bad cases make bad laws" - if bad principles get enshrined in the precedents made by convictions of bad people, those bad principles will hurt good people or good activity down the line. That's precisely why the EFF, Schneier, Felten, et al., are devoting their precious time to this case.
If a person is a criminal in general I don't really care if hasn't done the one particular crime he is nailed for if he is clearly guilty of others, but just being an ass should not be criminal.
Also don't forget that Weev was considering selling the info he got, before he decided to be lazy and just tell the world. So not only is he a massive troll, but his motives for the "hack" were also less than saintly.
You can, in fact, forget that. We should judge people to be criminals or not based on their actions, not their daydreams.
Also, how is it lazy to create a media shitstorm and get your house raided versus making some free money quickly and quietly? Are you really trying to frame his turning down free money as the MORE disdainful choice?!
We don't criminalize daydreams. And I'm not suggesting that we should.
However, we do take motivation into account with a great many crimes. For example, if you kill someone, your intentions, and how long you've had them, affect whether you get charged with manslaughter or murders 1 through 3.
To try and define the term "daydream" as being equivalent to "make solid plans" so that you can equate daydreaming with criminal conspiracy is some of the most tortuous logic I have seen in a while. Have you ever thought of a job as a government press secretary? You'd fit right in.
Trying to define "talking to your friends about how you're going to sell stolen information" as being equivalent to "daydream" is the tortuous logic I was responding to. Please read the entire thread and not just comments you don't agree with.
I did read the whole thread and I just read the published transcripts.
He does not say that he is going to sell stolen information.
He does remark on irc that the information is valuable and could be sold or used for a phishing operation, but that is an observation of reality, and can not be taken as a statement of intent without some other evidence showing that he was likely to pursue that course of action, and given that he then handed the list to gawker it would seem that this was not his intent, though the possibility had obviously crossed his mind.
To consider the possibility of indulging in criminal behaviour is not the same as planning to do so.
<devil's advocate>If you "consider" stealing thousands of credit card numbers, break into a business and collect all the required data, then get lazy before you get around to incurring fraudulent charges and just boast about it instead, perhaps you _do_ deserve jail time</devil's advocate>
weev fucked up - and he _knew_ he was "fucking up" when he went from "finding a vulnerability" to "automatically exploiting that vulnerability to collect as much data as he could". Felten, Blaze, Schneier, Kaminsky - they would all have tried incrementing the get parameter - when it worked they would all have tried a bunch more times to confirm their assumptions, none of them would expect to get away with subsequent wholesale download of AT&T's customer data. Neither should weev.
IIRC, all he would have been selling is email addresses that are known to belong to iPad owners with AT&T as a provider. I don't recall that he had any credit card info.
Yeah sure. That's what the devil's advocate tags were about. I was arguing reductio-ad-absurdum - for some crimes, half carried through preparations should be punishable even if the intended "end crime" never got carried out.
I'm not suggesting weev was after credit cards or intending to commit fraud. But I stand by me second para - that Kaminsky or Blaze wouldn't have downloaded the entire database after confirming the vulnerability works - and weev should have known he was "doing something wrong" when he chose to. I agree that AT&T (and the prosecutors here) are _seriously_ overreacting, but weev was a fool if he didn't expect _any_ adverse reaction.
The mother that drove her daughters' friend/rival to suicide via fake MySpace profiles should have known that what she was doing was wrong, but a conviction for her on the grounds that using a fake name violated MySpace's Terms of Service, and is therefore 'hacking' under the CFAA is just bad law. Making bad law to punish someone that was doing something 'bad' is a net-loss to society, not a net-win
This stinks to me of AT&T and their legal team trying to make them look like "the victim" - where in truth their subscribers are he aggrieved parties here and AT&T are as much in the wrong from he subscribers point of view as weev is.
If the man is actually guilty of a crime, convict him of that crime. If not, don't.
What you're saying is that we should convict innocent people of crimes they haven't committed because we don't like them. Do you not see the problem with that?
Over a candlelit dinner of tuna sashimi, Weev asked if I would attribute his comments to Memphis Two, the handle he used to troll Kathy Sierra, a blogger. Inspired by her touchy response to online commenters, Weev said he “dropped docs” on Sierra, posting a fabricated narrative of her career alongside her real Social Security number and address. This was part of a larger trolling campaign against Sierra, one that culminated in death threats. Weev says he has access to hundreds of thousands of Social Security numbers. About a month later, he sent me mine.
In 2007, Kathy Sierra was the target of an avalanche of death and rape threats that drove her out of tech and public life entirely. http://en.wikipedia.org/wiki/Kathy_Sierra#Harassment Nobody seems to be quite certain why, except that it may have had to do with a blog post defending people's right to delete comments from their own blogs. Sierra said, "I have cancelled all speaking engagements. I am afraid to leave my yard, I will never feel the same. I will never be the same." Weev claims credit for this. He's proud of it.
There's plenty more out there, if you care to trace through Weev's many aliases. He was never shy about how much he loved brutalizing people. “I hack, I ruin, I make piles of money,” he boasted. “I make people afraid for their lives.” --The New York Times again.
You mean, exploit a weak access control scheme, fail to disclose the exploit properly, instead use it to download private data in bulk, make unwise brags to reporters about potentially misusing that data, and then be dicks to the judge?
> Most importantly, like Auernheimer, researchers cannot always conduct testing with the approval of a computer system’s owner. Such independent research is of great value to academics, government regulators and the public even when – often especially when — conducted without permission and contrary to the website owner’s subjective wishes.
It would be fun to do that in the real world ; Yes mister, I was walking in the mall at night. I though an independent review of their security system was important. Here are some of their employee files that I found in a drawer as a proof that personal information could be leaked.
More like "here are some of their employee files that were taped to the front door, and which I leafed through out of curiosity." Anything that is URL-accessible without password protection cannot seriously be compared to being behind locked doors or even on private property. It's in public view.
is still a violation of the CFAA if someone can convince a court that such access was "unauthorized".
That's crazy.
And the prosecutor would probably proceed to call the above command "software". As in "the defendant wrote software..." Makes for a compelling narrative doesn't it? But the truth is, Daniel Stenberg wrote the software and included this feature for a reason. Was that reason to assist users with criminal intent? C'mon.
I can't help but think of all the many sources of exposed email addresses on the internet, whether they are exposed through ambivalence toward users' privacy or simply incompetence (as with AT&T).
Such sources are constantly mined by email marketers. WHOIS data comes to mind. Correct me if I'm wrong, but the information this defendant accessed was nothing more than email addresses. Is that right?
How many businesses on the web fail to adequately protect their customers' email addresses? Many more than just AT&T. And how many businesses sell their customers' email addresses to email marketers? Doesn't AT&T require customers to opt out lest their email address and other personal info be shared with AT&T "marketing partners". I don't know but I wouldn't be surprised.
I have no opinion on the guilt or innocence of this defendant. Maybe he deserves to be prosecuted.
But anyone with half a brain should be disturbed that a CFAA prosecution can proceed on a set of facts such as these. AT&T had to literally create "damage", by racking up a $7000 postage bill. Did the defendant "cause" money to be spent on postage? No, that expense was caused by AT&T's carelessnes in exposing email addresses and their subsequent decision to notify customers of their mistake by postal mail. Whatever happened to mitigation of damages?
I guess there's probably much I don't understand about this case. But reading the brief, the interpretation of the statute sounds incredibly one-sided. With this sort of loose interpretation, how can anyone defend himself against a CFAA prosecution?
If a party wants to claim some access to their computer was "unauthorized", then maybe they need to set up a proper mechanism for authorization. Usually, that's a password. The URL's this defendant accessed, where he found email addresses, were not password protected. Putting confidential information at URL's that you don't think anyone will guess does not seem to me to be a proper system for authorization. Claiming that anyone who stumbles on these URL's is making "unauthorized" access seems a like a weak argument. Apparently it'll do just fine.
Unfortunately there's huge incentive for companies with a public reputation to make this sound like the work of evil hackers rather than their own unwillingness to perform basic security protection on their public-facing services. Money on lawyers and PR are only spent when there's a known threat whereas preventative security is successful when nothing happens.