Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I don't think it is like walking into a private home because the door is unlocked... this is more like someone walking into a store, looking around, and then getting in trouble for looking at a specific display shelf that was in the back corner. The shelf wasn't labeled as off limits, you just were wondering around where you were supposed to and happen to see it. The store can't get mad and say "well yeah, but we put it in the back corner where most people don't go... and we put sensitive stuff back there! How dare you look at it!"

Well it was right in the same store you invited me in to! There was no sign or lock or anything saying not to look at the shelf.

This was a PUBLIC website... you are supposed to be able to visit it. If you make a request to a server without providing authentication and it returns data, that is not your fault. That is what you are SUPPOSED to do to servers. If it asks for authentication and tells you you are unauthorized, but you brute force the password or find an exploit, then THAT is a crime. There was not authentication in this case.



>This was a PUBLIC website... you are supposed to be able to visit it. If you make a request to a server without providing authentication and it returns data, that is not your fault. That is what you are SUPPOSED to do to servers. If it asks for authentication and tells you you are unauthorized, but you brute force the password or find an exploit, then THAT is a crime. There was not authentication in this case.

Unfortunately none of these excuses are valid. He knew he was accessing something he shouldn't have been. If he did it once or twice and stopped that is one thing, intent is a major part of the law, and he intended to exploit something he knew he should not have been. That is why he is being found guilty.


If I find a $50 bill on a sidewalk I can INTEND to steal it as much as I want. But no matter how badly I WANT to steal it I cannot because at that point it's not a thing that can be stolen. There is no way to trace it back to it's former owner and as such, the first person to find it is legitimately the new owner.

Weev might have said that he "stole" the information or that he "intented" to perform an unauthorized access but ultimately that doesn't matter. There was no access control to prevent the internet's default of "everything is visible" so that's precisely what happened. It's not a hack no matter how badly he or the government want it to be. Intent matters not one iota.


Of course intent matters. If I run over someone with my car and kill them and it was deemed just a terrible but unfortunate accident, that is 100% different than if I drove over them because I intended to run them down and kill them.

The same applies to this case. He intended to access something he knew he shouldn't have had access to. Thus why he is guilty.


Yes, but in your example (where someone is killed) there is rather obviously an underlying act that may or may not be criminal depending on the intent. There are infinitely many acts that cannot be considered crimes regardless of how malicious the intent behind them may be.

Furthermore, just because someone feels that they have done something wrong does not make what they have done a crime. The law also must consider that action to have been illegal.

Hopefully, the appeals court will determine that accessing a public unrestricted URL cannot be considered illegal, regardless of the mindset of the person who might choose to access it.


Depending on what you find and where you find it, actually, you may have a legal obligation to attempt to return it to the owner. The law is not quite as simple as finders, keepers.


Ahem, http://en.wikipedia.org/wiki/Theft_by_finding


Ahem, there are no less than three examples in the wikipedia page you're trying to cite that back me up:

and cases where the circumstances were held to show no larceny: R. v. Wood (1848) 3 Cox C. C. 277 (banknote found on open land) R. v. Dixon (1855) 7 Cox C. C. 35, 25 L. J. M. C. 39 (lost note without mark) R. v. Shea (1856) 7 Cox C. C. 147; R. v. Christopher (1858) Bell C. C. 27, 169 E. R. 1153 (unmarked notes and purse found in public place)

I used a $50 bill (which is implied to be unmarked) purposefully.


If we want to stretch analogies beyond sense, how about this.

You walk into a cake shop that has cupcakes with names written on the icing:

You say "Can I have a cupcake with 'Iain' written on it?" They say "200 OK, here's a cupcake with Iain on it."

You say "Can I have that wedding cake?" They say "401 Unauthorized, Sorry that's someone elses' cake." You don't get a wedding cake.

You say "Can I have a cupcake with 'Alice' written on it?" They say "200 OK, here's a cupcake with "Alice' written on it."

You say "Can I have a birthday cake?" They say "402 Payment required, That'll be $15" You don't get a birthday cake.

You say "Can I have a cupcake with 'Bob' written on it?" They say "404 Not Found, sorry we don't have any cupcakes with 'Bob'."

You say "Can I have a cupcake with 'Carol' written on it?" They say "200 OK, here's a cupcake with 'Carol' in it."

You say "Can I have a cupcake with 'Dave' written on it?" They say "200 OK, here's a cupcake with 'Dave' on it."

You walk out with 4 cupcakes. Then the cake shop owner comes out and says "You stole the three cupcakes! I didn't intend for you to have them!"

Did you do anything wrong? Do you deserve to go to jail for it?


> Did you do anything wrong?

Possibly, it depends on intent. Add in:

    You: Hahaha, guys I can get anybodies cake!
    You: Looool their security is awful!
    You: Hahah, we could short this companies stock!
Then you clearly knew what you were doing and therefore did something wrong.


But an equally valid interpretation of what's going on is:

Cool, free cupcakes! They want you to pay for birthday cakes and pre-order wedding cakes, but they'll give you any cupcake you ask for if they've got one available!


Do the IRC transcripts sound like he thought that this information should have been shared by the server? Your interpretation would have weev thinking that AT&T intended to make this information public, that having it public was fine, and there was no complexity in what he did to get it.


You're right - weev was being a dick, and he knew he ws at the time.

BUT…

I personally think AT&T should also be held to account for their part in what happened. They put all that data up on the public internet, with no authentication required to get it. I think they're at least as culpable here as weev is. (and I don't think _either_ of them should get off scott free - they both played fast and loose with other people's data.)


If knowing that you are doing something immoral makes it a crime why isn't all of Wall Street in prison?


1) Generally they do things that are harder to prove illegal, harder to show were doing something they knew was wrong and don't send messages in IRC channels 'joking' about shorting stock when releasing bad news. In essence, they are smarter about it.

2) Some are.

3) Not everyone involved in investment is doing something immoral.


I know the US has decided to start prosecuting thoughtcrimes, such as jokes on FB, but that's actually unconstitutional. Accessing a server is not a crime, the user agent is not meant for authorization, and what he did was immoral, not illegal. The only difference between what weev and Aaron Swartz did is the type of content downloaded and the quality of the person downloading.

You're arguing to put this douchebag in prison, but not for an actual crime. Remember that the next time they use the CFAA to crucify someone who doesn't deserve it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: