Join 3,553 readers in helping fund MetaFilter (Hide)


#WEEVFREE
April 11, 2014 10:42 AM   Subscribe

"A federal appeals court Friday reversed and vacated the conviction and sentence of hacker and Internet troll Andrew "weev" Auernheimer." weev is free!
posted by zscore (113 comments total) 6 users marked this as a favorite

 
Previously on Metafilter.
posted by Wretch729 at 10:45 AM on April 11 [2 favorites]


Ugh.
posted by kmz at 10:51 AM on April 11 [1 favorite]


If they wanted to convict him for something, they should start with that beard. Yeesh.
posted by hellojed at 10:54 AM on April 11 [1 favorite]


Well, fuck.
posted by happyroach at 10:54 AM on April 11


Good. It was a ridiculous charge. Now, how do we get justice for the victims of his actual crimes?
posted by feckless at 10:55 AM on April 11 [16 favorites]


Reversed and vacated because it was tried in the wrong venue, not because the initial conviction was found to be bad.
posted by rtha at 10:55 AM on April 11 [4 favorites]


Since it's buried in the "previously" link: The end of kindness: weev and the cult of the angry young man. Kathy Sierra just posted an update on that story to Twitter
(1/3) I was warned there'll be consequences for my giving the 1 Verge interview, & breaking my 6-year silence on w**v. Soon, I'll find out.
(2/3) I'm relieved his *current* conviction is now vacated/he's being freed; he should never have been charged/imprisoned for THAT. But...
(3/3) 99% sure he'll NEVER be charged w/ his *actual* (lesser) crimes against unimportant individuals, & he'll be tech media darling again.
I don't have any personal opinion or knowledge about weev or Kathy Sierra, but this story has been all over my Twitter feed today.
posted by Nelson at 10:56 AM on April 11 [13 favorites]


It was a stupid conviction in the first place (AT&T was at fault for making the records publicly accessible), so good. But it does nothing to address the poor precedent his conviction set. And he will continue being an ass, that apparently hasn't changed.
posted by gemmy at 10:59 AM on April 11


"Weev Free Man"

(apologies to Terry Pratchett :)
posted by techSupp0rt at 11:01 AM on April 11 [2 favorites]


But it does nothing to address the poor precedent his conviction set.

It does address the precedent of "venue-shopping" which as the appellate panel notes is not a minor part of the injustice done. And since the conviction in entirety was vacated, in the case of convicting someone for conspiracy, no precedent has been set.
posted by muddgirl at 11:03 AM on April 11 [4 favorites]


So the CFAA isn't being challenged and his acolytes are already revving up the hate machine. How is this good news for anyone but weev?
posted by zombieflanders at 11:07 AM on April 11 [1 favorite]


Well as much as I dislike the guy, based only on the anecdotes I've read, it really is kind of a good thing to challenge the venue shopping aspect of the case. I mean, when you combine the ridiculous criminal breadth of the CFAA and the fact that in the modern world, venue for a "hacking" crime can sort of be said to lie almost anywhere, it gives prosecutors a huge amount of power when they make their charging decision. Far too much power. They can charge you anywhere they want, with almost anything they want, in whatever jurisdiction has the best home field advantage, on whatever timetable they want, make you hire counsel in some state you've never even been to, and leverage crazy sentencing guidelines to get a plea. That's the kind of unchecked power that almost by definition leads to abuses. Any paring down of that is a good thing in my view. Even if weev is a huge dick.
posted by bepe at 11:16 AM on April 11 [18 favorites]


> Contrary to what it first claimed, the group revealed the security flaw to Gawker Media before AT&T had been notified

Yeah, okay. I have no opinion on his trial and conviction because I don't know enough about it. But that line from his Wikipedia entry is sufficient to neutralize whatever sympathy I might've summoned.
posted by ardgedee at 11:16 AM on April 11 [1 favorite]


Great, the palette of FREE WEEV stickers goes back into the pile with the FREE KEVIN stickers.
posted by wcfields at 11:21 AM on April 11 [1 favorite]


So the CFAA isn't being challenged and his acolytes are already revving up the hate machine. How is this good news for anyone but weev?

The rule of law gives me the warm fuuzzies.

So I guess I'm benefitting.
posted by ocschwar at 11:22 AM on April 11 [4 favorites]


While not exactly the win I was hoping for, a smackdown on blatant venue shopping is still a win. And the ruling does include a footnote pointing out that "Although we need not resolve whether Auernheimer’s conduct involved [a breach of a code-based barrier to access] no evidence was advanced at trial that the account slurper ever breached any password gate or other code-based barrier. The account slurper simply accessed the publicly facing portion of the login screen and scraped information that AT&T unintentionally published."
posted by Holy Zarquon's Singing Fish at 11:24 AM on April 11 [1 favorite]


The rule of law gives me the warm fuuzzies.

So I guess I'm benefitting.


Except that nothing's really changed, and now victims of his harassment are now being harassed again in retaliation. This was hardly a blow for "rule of law" and seems like a win for vicious trolls.
posted by zombieflanders at 11:32 AM on April 11 [3 favorites]


A circuit court precedent that would allow defendants in online crimes to be prosecuted in literally any court in the country would have been a loss for the rule of law.
posted by Holy Zarquon's Singing Fish at 11:46 AM on April 11 [6 favorites]


ocschwar: “The rule of law gives me the warm fuuzzies. So I guess I'm benefitting.”

weev broke the law. He is a criminal. He threatened, harassed, and abused people. Now he is free, unlikely to be punished. The rule of law has been utterly thwarted, through a combination of criminal behavior and shoddy prosecution.

There are no warm fuzzies to be had for anyone here.
posted by koeselitz at 12:13 PM on April 11 [5 favorites]


The rule of law gives me the warm fuuzzies.

So I guess I'm benefitting.

Except that nothing's really changed, and now victims of his harassment are now being harassed again in retaliation. This was hardly a blow for "rule of law" and seems like a win for vicious trolls.


He wasn't charged with harassment, or at least not in the case we're talking about. Would you rather he lost this case because of the beneficial effects? That seems pretty bad to my eyes.

If he's harassing people, fight the harassment (with law enforcement, more speech, whatever's needed). Don't lock him up for something completely different.
posted by Lemurrhea at 12:13 PM on April 11 [9 favorites]


You'll need to register on Medium, I think, but Quinn Norton (who was, it's relevant to note, Aaron Swartz's girlfriend) wrote a somewhat diffident piece there -- The Words of A Troll: The strange case of weev.
posted by dhartung at 12:18 PM on April 11 [2 favorites]


Great, the palette of FREE WEEV stickers goes back into the pile with the FREE KEVIN stickers.

There will always be FREE BOB AVAKIAN!
posted by Ice Cream Socialist at 12:19 PM on April 11 [1 favorite]


Lemurrhea: “He wasn't charged with harassment, or at least not in the case we're talking about.”

People who commit crimes they aren't charged with are no less guilty than people who are charged.

“If he's harassing people, fight the harassment (with law enforcement, more speech, whatever's needed). Don't lock him up for something completely different.”

If we care at all about the rule of law and the ideals of a safe and secure society, we can't just demand that Auernheimer not be jailed for crimes of which he isn't guilty and ask others to "fight the harassment." We must fight the harassment ourselves.
posted by koeselitz at 12:20 PM on April 11 [3 favorites]


Well, there goes my hopes of getting @fart locked up.
posted by slogger at 12:21 PM on April 11 [4 favorites]


If we care at all about the rule of law and the ideals of a safe and secure society, we can't just demand that Auernheimer not be jailed for crimes of which he isn't guilty and ask others to "fight the harassment."

I'm really unclear on the point being made here. Are you saying we fight harassment ourselves by convicting him via multiple double-negatives?
posted by rhizome at 12:23 PM on April 11 [3 favorites]


I only went to law school for a year and that was 20 years ago, so maybe an actual lawyer can chime in but from what I remember:

- In civil cases courts are supposed to consider whether a venue is grossly unfair/inconvenient for a party to the case. For example, a big corporation shouldn't be able to make the "little guy" go across the country, because the company has deep pockets and more resources and can better handle the inconvenience of going to the little guy's location.

- In federal cases it's supposed to be where the crime took place. It seems like if I hack some site from my basement, the crime took place there. Otherwise it just gets stupid - is it where AT&T's headquarters are? Where their server farm is? What if they have multiple data centers? Seems it's gotta be where the hacker lives to be fair.

This guy seems to be a tool, but it seems like the right decision was made here.
posted by freecellwizard at 12:26 PM on April 11 [1 favorite]


Hey guys, didn't realize quite the extent of weev's harassment ,or I wouldn't have made quite such a jubilant post. But I do believe that it is a legal victory and good for the Internet and soforth.
posted by zscore at 12:33 PM on April 11 [1 favorite]


People who commit crimes they aren't charged with are no less guilty than people who are charged.

Then convict people of the crimes they actually did, not of anything you can get to stick to the wall because you're sure they're guilty of something. Because the precedent set by these cases applies to everybody, not just the ones who are obvious jerks. If this ruling had gone the other way, it would be a license for prosecutors to venue-shop without fear of reprisal on any Internet crime. Not worth it.
posted by Holy Zarquon's Singing Fish at 12:34 PM on April 11 [15 favorites]


AT&T was at fault for making the records publicly accessible

AT&T is at fault for this? From the opinion:

The account slurper simply accessed the publicly facing portion of the login screen and scraped information that AT&T unintentionally published.

Ok, I don't understand the technology at all. Sounds to me like AT&T basically had a security flaw they didn't know about (but probably should have) and they unknowingly allowed someone trying to get through to do so. That kind of poor security is certainly something that I, as a consumer, hold against AT&T and factor that unacceptable sloppiness into my decision to do business for them.

But how it is their fault for this? That's like saying I am at fault for having my house robbed because, even though I thought I locked the door, I actually did not fully engage the deadbolt so it was easily opened by someone trying to get in, thereby making my furniture "publicly accessible." I am fascinated by that mindset.

I see a bit of a problem that this guy was looking for information he clearly should not have access to. I'm not sure what the remedy to that is from a criminal law perspective, but I certainly don't ignore that he is the primary contributing factor to this--the one I would say is at "fault" for this breach--as he is the moving force behind this occurring.


(Re: the rule of law angle. By the way, here is the actual opinion. Procedural due process is imperative to the rule of law. A tainted conviction should be tossed no matter how criminally culpable a defendant is. I hate it when people who commit crimes walk, but I'll choose that reality over a disregard for the process. That being said, I struggle with the idea that the much-maligned "forum shopping" rises to the level of procedural due process. And the confounding factor of the internet makes this issue murky to me.)
posted by dios at 12:35 PM on April 11 [4 favorites]


He wasn't charged with harassment, or at least not in the case we're talking about. Would you rather he lost this case because of the beneficial effects? That seems pretty bad to my eyes.

No, I'm saying this was more a status quo move than anything else. Like I said, CFAA is still in place, and while I'm all for preventing the anytime/anywhere issue, it's far from clear that this case settled that. On the balance of things, it's a lateral move.

If he's harassing people, fight the harassment (with law enforcement, more speech, whatever's needed). Don't lock him up for something completely different.

I wasn't asking him to be jailed for something different, and I don't support the way the fraud case was handled. I was noting that this didn't really seem to resolve anything in as crystal-clear a fashion as it was being portrayed. I'm also disturbed that the people that could fight the harassment chose not to. The point was made in the last thread about how EFF was willing to go to bat for weev on the fraud charge, but has been pretty much silent on the harassment, and that this isn't unusual for them. The ACLU may have defended racists' rights to free speech, but they also defended the victims of that racism when it resulted in violence. I can't say the EFF shows any desire to emulate that.
posted by zombieflanders at 12:37 PM on April 11 [3 favorites]


But how it is their fault for this? That's like saying I am at fault for having my house robbed because, even though I thought I locked the door, I actually did not fully engage the deadbolt so it was easily opened by someone trying to get in, thereby making my furniture "publicly accessible." I am fascinated by that mindset.

This kind of analogy is tricky when applied to the Internet. Bear in mind that AT&T has huge numbers of webpages that are freely accessible to the public, so you are already allowed inside their proverbial house - it's just certain rooms that are locked. They took sensitive information - the e-mail addresses that correspond to particular iPads - and stored them in a publicly accessible "room" with no lock on the door. They didn't even try to lock it down. Anybody in the world who typed in the right URL would get to a page with the sensitive information. They just didn't think anybody would try to figure out the right URL. Going back to the lock-on-the-door analogy, they hid their valuables in an unlocked, open room that was at the end of a mile-long maze, and assumed nobody could map that maze.
posted by Holy Zarquon's Singing Fish at 12:47 PM on April 11


dios - I think the brick and mortar analogy would be that AT&T put everyone's personal information in unlocked numbered cubbies facing a public sidewalk and this weev guy got arrested for having the gall to look in the ones with a different number than his.
posted by Zalzidrax at 12:54 PM on April 11 [5 favorites]


They just didn't think anybody would try to figure out the right URL. Going back to the lock-on-the-door analogy, they hid their valuables in an unlocked, open room that was at the end of a mile-long maze, and assumed nobody could map that maze.
posted by Holy Zarquon's Singing Fish at 2:47 PM on April 11

I'm willing to stipulate that the analogy is more complex because, as I disclosed, I don't understand the technology side of this at all. But even working off of your formulation, I see it more like:
They just didn't think anybody would try to figure out the right URL. Going back to the lock-on-the-door analogy, they hid their valuables in an unlocked, open room that was at the end of a mile-long maze, and assumed nobody could would map that maze and try to take things for which they have no legal right to possess and in a manner that comes close to violating law.
I'm not entirely sure your formulation of assumption is correct because it implies that an intentional decision was made when I understand this was unintentional. Footnote one from the Court seems to imply it was unintentional published in only a way a scraper (whatever that is) would find. Let's call that negligence on their part. But it strikes me as self-evidently obvious that weev knew he was not supposed to access that information. And it seems equally obvious to me that this is the type of thing that is close to theft. So, yeah, I didn't lock the door of that room. But that failure is not the same thing as an invitation for you to come into the room and take stuff that does not belong to you. I still submit that the intentional act of weev is more "at fault" than the negligence of AT&T.
posted by dios at 12:57 PM on April 11


dios - I think the brick and mortar analogy would be that AT&T put everyone's personal information in unlocked numbered cubbies facing a public sidewalk and this weev guy got arrested for having the gall to look in the ones with a different number than his.

Wait, so everyone who supports this analogy thinks it's okay to poke around in areas that clearly don't belong to you because they are unlocked?
posted by 99_ at 12:59 PM on April 11 [2 favorites]


Wait, so everyone who supports this analogy thinks it's okay to poke around in areas that clearly don't belong to you because they are unlocked?

This is the problem with analogies.
posted by fader at 1:02 PM on April 11 [14 favorites]


this weev guy got arrested for having the gall to look in the ones with a different number than his.
posted by Zalzidrax at 2:54 PM on April 11


Again, this seems as an odd formulation. As I understand it, he intentionally went digging for information he knew he was not supposed to have access to and then took it when he found it. He didn't just look. He took things. And I assume that he was aware it was legally precarious to do so. And I also assume that the questionable legality of it is what drove him to do it. In other words, he wasn't just innocently looking for access to people's personal photos on a drive for smiles. He surreptitiously went looking for sensitive and otherwise confidential financial information.

Why would you want to exculpate him from being the primary bad actor here, even when you properly roast AT&T for being negligent in their security systems?
posted by dios at 1:03 PM on April 11 [3 favorites]


I think it is a question of defining the boundaries and breaches. Doors are a good one - just putting up a door in the right context (i.e. your house, rather than a mall entrance) establishes a boundary (and in the strict legal sense property lines), even if you forget to or improperly secure it.

In the Internets it is not so clear. My sense on the matter would be that the company published that information to the whole world by providing it on a HTTP server accesible with a standard URI schema - there was no boundary (password, key, etc.) separating that from the public space. As if the company had shipped out a book to their customers and informed them they were only allowed to look at page 309 which had their private info.
posted by save alive nothing that breatheth at 1:05 PM on April 11 [3 favorites]


Again, this seems as an odd formulation. As I understand it, he intentionally went digging for information he knew he was not supposed to have access to and then took it when he found it. He didn't just look. He took things.

I don't think the property / door analogy is helpful. He made a request to a public web server, and it responded.
posted by junco at 1:06 PM on April 11 [4 favorites]


me: “People who commit crimes they aren't charged with are no less guilty than people who are charged.”

Holy Zarquon's Singing Fish: “Then convict people of the crimes they actually did, not of anything you can get to stick to the wall because you're sure they're guilty of something. Because the precedent set by these cases applies to everybody, not just the ones who are obvious jerks. If this ruling had gone the other way, it would be a license for prosecutors to venue-shop without fear of reprisal on any Internet crime. Not worth it.”

Look, have you read Kathy Sierra's discussions about this? She was vehemently against weev getting prosecuted on these silly charges, as they don't make any sense. She wanted him prosecuted on the criminal complaints she made all the way back in 2007. But she's been ignored thoroughly.

Lest their be any misunderstanding here: nobody here is saying that it was good that weev was prosecuted for the computer thing because he was guilty of harassment. That wasn't good. At least he was behind bars; but it wasn't good. His release? Also not good. The world has not been set right, and we shouldn't have any illusions about that.
posted by koeselitz at 1:10 PM on April 11 [3 favorites]


This guy is scum, but he was locked up for the wrong reasons. He was released for the right reasons, and needs to be locked back up for the right reasons. Or something.

Justice hasn't happened yet.
posted by oceanjesse at 1:11 PM on April 11 [11 favorites]


Lest their be any misunderstanding here: nobody here is saying that it was good that weev was prosecuted for the computer thing because he was guilty of harassment. That wasn't good. At least he was behind bars; but it wasn't good. His release? Also not good. The world has not been set right, and we shouldn't have any illusions about that.

The Third Circuit has no authority to lock him up for crimes that are not part of the case before it. The judges here delivered the best ruling they had the power to give.
posted by Holy Zarquon's Singing Fish at 1:13 PM on April 11 [2 favorites]


Weev's actions were a little like being told to get his persona information from page 839 out of the White Pages, and him checking out what's on Page 840. Unsurprisingly, someone else's information.
posted by effugas at 1:15 PM on April 11 [1 favorite]


> Kathy Sierra just posted an update on that story to Twitter

Her comment from The end of kindness: "I think he does belong in prison for crimes he has committed, but what he’s in for now is not one of those crimes. I hate supporting the Free Weev movement, but I do."
posted by homunculus at 1:20 PM on April 11 [3 favorites]


So you're going with innocent curiosity, then? No ill intent or nefarious motive on his part? Makes me wonder why he took that information he found when innocently glancing at another page.

Remarkable.
posted by dios at 1:20 PM on April 11 [1 favorite]


dios: “So you're going with innocent curiosity, then? No ill intent or nefarious motive on his part? Makes me wonder why he took that information he found when innocently glancing at another page. Remarkable.”

The point is rather that intent doesn't matter. Under the interpretation of the law originally proffered by the court in this case, if AT&T accidentally posted all of their clients' names and credit card numbers on the front page of their website, and I just happen to access their website on a library computer, exposing all those credit card numbers to "the public," then I am guilty of criminal trespass and a candidate for prosecution and jail time.
posted by koeselitz at 1:26 PM on April 11 [6 favorites]


No, I'm going with the text of the CFAA, which says it's a crime to access a computer without authorization. AT&T took private information and stuck it on a public bulletin board. Reading that bulletin board isn't "unauthorized."
posted by Holy Zarquon's Singing Fish at 1:28 PM on April 11 [2 favorites]


Under the statute he was charged for violating, it is in fact intent to extort that makes it criminal. But the issue is whether the server from which he obtained the information was "protected" and whether he accessed it "without authorization or in excess of authorization".
posted by junco at 1:30 PM on April 11


Sorry, I was reading the wrong statute; koeselitz is right, and intent doesn't matter. But it is the definition of "protected computer" that is in question.
posted by junco at 1:33 PM on April 11 [1 favorite]


It's pretty awful to talk in analogies, so for the benefit of those reading who don't have a technical background, here's the simplest I can make things:
AT&T built a service by which you can lookup email addresses. In order to look up an email address, you provide a long number (something like 1234567890987654321). Each number has a single email address associated with it. The idea is that a person's iPad could connect to this service on behalf of its owner, and lookup an email address using the randomly-assigned number it already had. AT&T didn't require any sort of key to use the service, and didn't require that anyone agree to any terms in order to use it. Access to this service was (and was intended to be) public.

Normally, you get a number when you buy an iPad. If you can guess other numbers (which aren't, by the way, secrets - they're basically randomly assigned), you can use this service to look up email addresses associated with them. Again, you're just calling a public service that turns numbers into email addresses. weev guessed a whole bunch of numbers, and got a bunch of email addresses.

That's it. He did not break the service in any sense. He did not make the service return information it wasn't designed to return.
It is absolutely outrageous that he was convicted of anything wrongdoing for this, and I'm firmly of the opinion that the prosecutor shopped for a venue in this case to find a state law that was broad enough, and a jury pliant enough, to get a conviction.
posted by TheNewWazoo at 1:56 PM on April 11 [6 favorites]


Wouldn't the problem have been pretty well solved if he'd had the decency to contact AT&T first? Conduct of a white hat?
posted by scottymac at 2:05 PM on April 11


"Again, this seems as an odd formulation. As I understand it, he intentionally went digging for information he knew he was not supposed to have access to and then took it when he found it. He didn't just look. He took things. And I assume that he was aware it was legally precarious to do so. And I also assume that the questionable legality of it is what drove him to do it. In other words, he wasn't just innocently looking for access to people's personal photos on a drive for smiles. He surreptitiously went looking for sensitive and otherwise confidential financial information.

Why would you want to exculpate him from being the primary bad actor here, even when you properly roast AT&T for being negligent in their security systems?
"

A couple things are salient here:

First off, it's important to remember that there is a big distinction between copying and theft. He didn't steal valuables, he copied data that is, in aggregate, valuable.

Second, it was AT&T making this information publicly available that allowed him to do it — in fact, that was the whole point of sending the info to Gawker, was to make people aware of this security flaw.

So, rather than going with the physical metaphor of theft, a better one might be something that happened while I was in college: Our college IDs were based on our Social Security numbers, with a little bit of a hash (a simple pattern to disguise them). For the analogy, assume that they were simply reversed. The school, by dint of the student directory, published all of the social security numbers for all students. AT&T, by dint of their public web server, published all the email addresses for their iPad clients. Our school directory wasn't online, thank god, but was available if you went to the Student Life office and asked for a copy.

But assume they were digitally available, and someone wrote a program to undo the hash (reverse the numbers) and had, then, a huge list of all our SSNs along with our names.

It was absolutely the fault of the university for publishing Social Security numbers without an adequate protection, even while it would be the fault of any criminals who used that information to commit actual crimes. It should not be a crime to take those social security numbers and give them to the school newspaper. It should not be a crime to take those email addresses and give them to Gawker. The public's right to know, combined with the fact that no security apparatuses were defeated, means that what Weev did essentially was to publish publicly available information. That it required querying lots of different addresses would be no different than if my school had published one number in each copy of the school directory, and required someone to gather all of them to have the list.

"Wouldn't the problem have been pretty well solved if he'd had the decency to contact AT&T first? Conduct of a white hat?"

It's not illegal to be an asshole, and it's not illegal to not contact the target of an exposé before exposing them.
posted by klangklangston at 2:08 PM on April 11 [8 favorites]


(And I'm still annoyed that after people complained about the student ID numbers, the school just switched to a different, equally simple hash — they just added 1 to the first three numbers, and added two letters to the end of the number. Hopefully, it's changed in the years since I've been at school, but I always thought it was monumentally irresponsible.)
posted by klangklangston at 2:10 PM on April 11


I hate the fact, so much, that these types of piece of shit internet trolls never get their day in court for actual harassment and shitty behavior.

I am in a perpetual, unending superposition of disbelief and grim acceptance from what i've seen people get away with online. Especially stuff that was never mentioned again other than at most a post in a thread on some shitty forum or 4chan.

I still can't believe this kind of hateful piece of shit who enjoys seeing people suffer is regarded positively by anyone but other trolly turds. it just blows my goddamn mind.
posted by emptythought at 2:10 PM on April 11 [6 favorites]


"Wouldn't the problem have been pretty well solved if he'd had the decency to contact AT&T first? Conduct of a white hat?"

Certainly, but responsible disclosure isn't obligated by law, and all informed persons will agree that weev is kind of a dick.
posted by TheNewWazoo at 2:10 PM on April 11


The point is rather that intent doesn't matter... I just happen to access their website on a library computer

Wait, what? Intent doesn't matter?

He was charged with violating 1030(a)(2)(C) and (c)(2)(B)(ii). Here they are:
(a) Whoever—
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n) [1] of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer;
and
(c) The punishment for an offense under subsection (a) or (b) of this section is—
(2)
(B) a fine under this title or imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(2), or an attempt to commit an offense punishable under this subparagraph, if—
(i) the offense was committed for purposes of commercial advantage or private financial gain;
(ii) the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State
The first operative word is "intentionally." He had to have the culpable mens rea that he "intentionally accessed a computer without authorization or exceeds authorized access." Intent very much matters. An if read the opinion, it makes it very clear that Spitler and this guy knew it was a security flaw they were exploiting, and that presupposes that they knew they did not have authorization to access and obtain the information. Moreover, there is a requirement for the punishment he received that he have a criminal or tortious mens rea.

Intent very much matters. If he innocently found this information, that's one thing. But the opinion makes clear this was intent to exploit a discovered security flaw--one that this guy bragged about exploiting after doing it--so arguing as if this was innocent curiosity is both (a) factually incorrect and (b) morally peculiar. It seems to show some desire to give approbation for hacking as if it is a good in and of itself.
posted by dios at 2:25 PM on April 11 [1 favorite]


That's like saying I am at fault for having my house robbed because, even though I thought I locked the door, I actually did not fully engage the deadbolt so it was easily opened by someone trying to get in, thereby making my furniture "publicly accessible."

The Gunnery Sergeant Hartman Position
posted by Steely-eyed Missile Man at 2:30 PM on April 11


I am not so sure I would paint weev as some white hat, or what was done as some sort of exposé. In weev's indictment, weev's coconspirator, Daniel Spitler, discussed with two other members of Goatse ("Nstyr" and "Pynchon") what they would do with these email addresses (note, this discussion below looks like it dates from BEFORE weev was aware of this scheme, but I am not positive, on page 9. Also, it can't copy/paste from the doc, so this is my typing the discussions out, my apologies if I miss something with the ellipses, you can always check the indictment directly):

Spitler: …I don't see the point unless we phish for passes even that's boring
Nstyr: data mining…for example sell to spammers
Spitler: tru ipad focused spam

Then weev is brought into this all in a later conversation with Spitler, who was directed to get as many addresses as possible:

weev: if we get enough addresses we could direct market ipad accessories (Page 10)

And later, when Spitler says that he has only 625 addresses:

weev: takes like, millions to be profitable re: spam, but that's a start (page 10, again)

It sounds to me that the group was going to sell these to spammers to make a profit, but since they never got enough email addresses to make it worth their while, they just gave their database to Gawker. I am still not clear if they disclosed what they were doing to AT&T or, if they did, when that disclosure was.

I do agree that venue shopping sure is a really stupid thing to do, especially in this case where the details of the alleged crimes and how they should be prosecuted in the first place are such a matter of contention. These prosecutors should be fired for, what appears to me, blatantly overstepping during their prosecution of a high-profile case. What a waste of everyone's time to make this a case about venue shopping (which, as the article states, has been contentious for the entire history of the US).
posted by roquetuen at 2:42 PM on April 11 [2 favorites]


I see no reason why DOJ can't just retry the case in the federal district where Auernheimer maintains his permanent residence. I can't for the life of me see why his defense attorneys think this is a double jeopardy case. It's only double jeopardy if you are acquitted.

No one has offered me any reason why this might not be the case, anyway.
posted by valkyryn at 2:48 PM on April 11


I think maybe a lot of the cross-talk here (about “accessing a protected computer”) stems from whether you consider security by obscurity (the AT&T pages were “secure” because the site developers didn’t expect anybody to be editing the ID parameter in the URL) to be security at all (“I asked their web server for this page, with this ID parameter, and it gave it to me, with an e-mail address on it. If I wasn’t supposed to see that, why didn’t it serve me an HTTP 403 Forbidden?”)

Personally, I think “hope that people don’t edit the address bar” (and the User-Agent header, yes) is not an actual security strategy, but of course, I don’t sit on the bench.
posted by letourneau at 2:53 PM on April 11 [10 favorites]


"Intent very much matters. An if read the opinion, it makes it very clear that Spitler and this guy knew it was a security flaw they were exploiting, and that presupposes that they knew they did not have authorization to access and obtain the information. Moreover, there is a requirement for the punishment he received that he have a criminal or tortious mens rea.

Intent very much matters. If he innocently found this information, that's one thing. But the opinion makes clear this was intent to exploit a discovered security flaw--one that this guy bragged about exploiting after doing it--so arguing as if this was innocent curiosity is both (a) factually incorrect and (b) morally peculiar. It seems to show some desire to give approbation for hacking as if it is a good in and of itself.
"

1) They didn't necessarily exceed authorized access — there was no prohibition on that access; the information was publicly available. You just had to know it was there. They guessed it was there.

2) From that, it'd be a stretch to argue that they were intentionally exceeding authorized access — if there are no security features, and the information is only obscured, not restricted, that they came up with a clever way of finding it isn't intentionally exceeding authorized access, it's intentionally finding information.

3) I don't see a way here that Weev would be guilty and the Gawker journalist would not. They're also intentionally looking at publicly-published information that AT&T doesn't want them to.
posted by klangklangston at 2:54 PM on April 11 [1 favorite]


> It seems to show some desire to give approbation for hacking as if it is a good in and of itself.
Hacking can absolutely be a good in and of itself. Take a look this, for example, where unlike weev's case there is zero doubt that the hackers in question bypassed authorization on Google's servers and obtained protected information. Under the interpretation of the CFAA as applied in weev's case, it seems to me that the Detectify guys should be in jail, despite the fact that their hacking created a net good.

The difference between the two is Detectify followed responsible disclosure, whereas weev went straight to the press rather than waiting some time and allowing AT&T to fix it. If we want to allow for the former but prosecute the latter, fine, pass a law requiring responsible disclosure. The CFAA shouldn't be applied as broadly as is being done in weev's case.
posted by ReadEvalPost at 2:57 PM on April 11 [2 favorites]


Oh, and here is how the Court described it:
The relevant facts are fairly simple and not in dispute. Apple, Inc. introduced the first iPad, a tablet computer, in 2010. Customers who purchased the version that had the capability to send and receive data over cellular networks (commonly referred to as “3G”) had to purchase a data contract from AT&T, Inc. (“AT&T”), which at the time was the exclusive provider of data services for this version of the iPad. Customers registered their accounts with AT&T over the Internet on a website that AT&T controlled. In the registration process, customers were assigned a user identifier (“user ID”) and created a password — login credentials that they would need in order to access their accounts through AT&T’s website in the future. The user ID assigned to each customer was that customer’s email address.

AT&T decided to make it easier for customers to log into their accounts by pre-populating the user ID field on the login screen with their email addresses. To do this, AT&T programmed its servers to search for an iPad user’s Integrated Circuit Card Identifier (“ICC-ID”) when a user directed her browser to AT&T’s general login web page (AT&T’s “URL”). An ICC-ID is the unique nineteen-or twenty-digit number that identifies an iPad’s Subscriber Identity Module, commonly known as a SIM Card. The SIM Card is the computer chip that allows iPads to connect to cellular data networks.

If AT&T’s servers recognized the ICC-ID as associated with a customer who had registered her account with AT&T, then AT&T’s servers would automatically redirect the customer’s browser away from the general login URL to a different, specific URL. That new specific URL was unique for every customer and contained the customer’s ICC-ID in the URL itself. Redirecting the customer’s browser to the new specific URL told AT&T’s servers which email address to populate in the user ID field on the login page. This shortcut reduced the amount of time it took a customer to login to her account because, with her user ID already populated, she had to enter only her password.

Daniel Spitler, Auernheimer’s co-conspirator, discovered this feature of AT&T’s login process. Although he did not own an iPad, he purchased an iPad SIM Card, hoping to install it on another computing device and then take advantage of the unlimited cellular data plan that AT&T offered for $30 per month. At first, he did not know how to register his SIM Card, so he downloaded the iPad operating system onto his computer, decrypted it, and browsed through the operating system’s code to try to find a way to register it. In the course of doing so, he came across AT&T’s registration URL. He noticed that one of the variables in the registration URL was a field requiring an ICC-ID.

Spitler then directed his computer’s web browser to the registration URL and inserted his iPad’s ICC-ID in the requisite place. AT&T’s servers were programmed only to permit browsers that self-identified as iPad browsers to access the registration URL. This required him to change his browser’s user agent. A user agent tells a website what kind of browser and operating system a user is running, so servers that someone is attempting to access can format their responses appropriately.

After changing his browser’s user agent to appear as an iPad, Spitler was able to access the AT&T login page. He noticed that his email address was already populated in the login field and surmised that AT&T’s servers had tied his email address to his ICC-ID. He tested this theory by changing the ICC-ID in the URL by one digit and discovered that doing so returned a different email address. He changed the ICC-ID in the URL manually a few more times, and each time the server returned other email addresses in the login field.

Spitler concluded that this was potentially a noteworthy security flaw. He began to write a program that he called an “account slurper” that would automate this process. The account slurper would repeatedly access the AT&T website, each time changing the ICC-ID in the URL by one digit. If an email address appeared in the login box, the program would save that email address to a file under Spitler’s control.

Spitler shared this discovery with Auernheimer, whom he knew through Internet-based chat rooms but had never met in person. Auernheimer helped him to refine his account slurper program, and the program ultimately collected 114,000 email addresses between June 5 and June 8, 2010. Its method—guessing at random—is called a “brute force” attack, a term of art in the computer industry referring to an inefficient method of simply checking all possible numbers.

While Spitler’s program was still collecting email addresses, Auernheimer emailed various members of the media in order to publicize the pair’s exploits. Some of those media members emailed AT&T, which immediately fixed the breach. One of the media members contacted by Auernheimer was Ryan Tate, a reporter at Gawker, a news website. Tate expressed interest in publishing Auernheimer’s story. To lend credibility to it, Auernheimer
shared the list of email addresses with him. Tate published a story on June 9, 2010 describing AT&T’s security flaw, entitled “Apple’s Worst Security Breach: 114,000 iPad Owners exposed.”
The idea that this was an innocent stumbling upon or otherwise publicly accessible information is hogwash. This Spliter guy was trying to hack into the system to get 3G to a non-ipad. He then obtained a copy of the ipad OS and decrypted it (the details of which aren't discussed, but I'm sure there was something illegal going on there). But then in trying to work around registering, he noticed how the "key" to this information worked. He then created a brute force attack of guessing the keys to find the information.

In other words, he knew he did not have authorization to get this information--the test in the crime--and that he was using brute force to find the key to get the information. He then obtained information that would have been protected but for manufacturing of the key to it.

All of the suggestions that this stuff was publicly available in any meaningful sense is inconsistent with what the Court requires. This guy had to guess at a key to get to the information. And it is only with the key that he could get that information--it was protected from anyone not in possession of the key--either properly in possession of it or by guessing it.

The intent is very much important here, and as the Court describes it, the intent was well in place here.
posted by dios at 2:58 PM on April 11 [1 favorite]


I think the court would disagree with you there.

"Although we need not resolve whether Auernheimer’s conduct involved [a breach of a code-based barrier to access] no evidence was advanced at trial that the account slurper ever breached any password gate or other code-based barrier. The account slurper simply accessed the publicly facing portion of the login screen and scraped information that AT&T unintentionally published."
posted by Holy Zarquon's Singing Fish at 3:04 PM on April 11 [1 favorite]


Dios, you completely skipped over the definition of "authorization," the second operative word, if you will, in the phrase "without authorization or exceeds authorized access." It's germane.
posted by rhizome at 3:15 PM on April 11 [1 favorite]


> He then obtained a copy of the ipad OS and decrypted it (the details of which aren't discussed, but I'm sure there was something illegal going on there).
Absolutely not. iOS decrypts itself when it runs, all decryption routines and information are available when you download the software. It just takes some work to extract that information and run it to get a decrypted copy.

Throw me in jail if that's illegal.
posted by ReadEvalPost at 3:16 PM on April 11 [4 favorites]


I cited that footnote several times earlier, and I know that is what the Court noted. But there is a reason that is in a footnote and not in the merits of the discussion: "password" is not the test in the federal statute. The question is whether the defendant "intentionally accesses a computer without authorization or exceeds authorized access". "Authorization" is co-extensive with "password" in every state. That is just the standard under New Jersey law. That is why venue is so important. I wonder what the other states require. To me, there is not a necessary connection between "password" and "authorization." I think people can exceed their authorization if they start manipulating something that is naturally not done. I don't see why he needed to break a password to "exceed authorization."
posted by dios at 3:16 PM on April 11


I don't see why he needed to break a password to "exceed authorization."

Because that's the way it goes.
posted by rhizome at 3:19 PM on April 11


dios, the problem is, that relies on the arbitrary decision that a particular piece of information in a URL is a "key". You could equally well argue that "http://www.metafilter.com/" is a key, because nobody can access Metafilter without either being "properly in possession" of that string or guessing it.

At the technological level, there are certain distinctions between different kinds of identifiers. Even if it's all ultimately just bits on a wire, different fields have their own standardized meanings. For example, a password or session cookie is designed to be linked to a particular user, so it's perfectly reasonable to say that guessing or stealing one of those cookies is an act that shows intent to bypass a security mechanism. But URLs aren't normally used for that purpose; the normal assumption in the industry is that if you allow public access to a URL, that information is intended to be public.

It strikes me as extremely dangerous to allow a site operator to retroactively define a particular URL as "protected", despite not being controlled by the normal means of access control, and prosecute anyone who has accessed it. I'm equally uncomfortable with the standard of criminal conviction being "manipulating something that is naturally not done."
posted by teraflop at 3:19 PM on April 11 [9 favorites]


ReadEvalPost: as I repeatedly stated, I'm no expert on technology, so if I misunderstood that part, I readily admit error. The way the Court described it, I understood that this guy wanted to make use of the 3G plan, so he obtained a sim card and made a fake ipad to confuse AT&T. I don't know if that is illegal or not. It certainly doesn't seem kosher. I got to think some TOS was violated, and it certainly seems fraudulent vis-a-vis AT&T.
posted by dios at 3:19 PM on April 11


Ok, well, it's time to head home for the weekend. My understanding of what occurred based on the Court's actual opinion suggests to me this is really, shady crap that ought to be illegal under the terms of the statute and certainly the intent of it. Apparently a lot of people want to defend it as innocent behavior and see nothing wrong with the stuff these two guys were doing. I see no common ground, so I think we'll just go around and around on it. So I guess it is a good time for me to bow out. Thanks for the discussion.
posted by dios at 3:24 PM on April 11


dios: Read the amicus brief about weev's case:

http://blog.ussjoin.com/2013/07/amicus-brief-for-weev.html
posted by I-baLL at 3:28 PM on April 11 [2 favorites]


One of my jobs since we re-did our whole website at work last year is to track down "lost" pages and either make them be un-lost or dispose of them entirely. Some of our older naming conventions were, ah, idiosyncratic, and so finding them has often been an exercise in educated guessing. For instance, I had to find several pages from one program area that had all gone missing, but once I found the first one, I could educated guess what the URLs for the others would be. There was no decrypting of anything, there was no password-cracking of anything, and there was no using any nefarious techniques or technologies except thinking and banking on there being a common pattern in the URLs of those missing pages.
posted by rtha at 3:40 PM on April 11 [5 favorites]


TOS violations are also not a crime.
posted by rhizome at 3:42 PM on April 11 [3 favorites]


"The idea that this was an innocent stumbling upon or otherwise publicly accessible information is hogwash. This Spliter guy was trying to hack into the system to get 3G to a non-ipad. He then obtained a copy of the ipad OS and decrypted it (the details of which aren't discussed, but I'm sure there was something illegal going on there). But then in trying to work around registering, he noticed how the "key" to this information worked. He then created a brute force attack of guessing the keys to find the information. "

No, you're wrong, and you don't know the topic well enough to talk about it.

1) "Hack into the system to get 3G to a non-ipad" is misleading and loaded rhetoric. He was attempting to sign up for a service plan for a device he legally purchased that was not barred from service.

2) "He then obtained a copy of the ipad OS and decrypted it (the details of which aren't discussed, but I'm sure there was something illegal going on there)."

No. Any developer could do that. It's part of software development.

3) He wasn't trying to work around registering — he was trying to register his computer to get the consumer product that was offered (but not designed for his computer).

4) "Brute force" there is also a term of art; he wrote an algorithm to solve a problem of a large data set.

5) None of this contradicts the idea that this was publicly-accessible information.

"In other words, he knew he did not have authorization to get this information--the test in the crime--and that he was using brute force to find the key to get the information. He then obtained information that would have been protected but for manufacturing of the key to it. "

No, not in other words. He saw that this information was publicly available and wrote a code to retrieve it. It was not protected in the least — it was available for anyone who asked for it at the right door.

All of the suggestions that this stuff was publicly available in any meaningful sense is inconsistent with what the Court requires. This guy had to guess at a key to get to the information. And it is only with the key that he could get that information--it was protected from anyone not in possession of the key--either properly in possession of it or by guessing it.

No, the URL is not a key. A URL is by definition public information.

The intent is very much important here, and as the Court describes it, the intent was well in place here.

Hogwash.

"But there is a reason that is in a footnote and not in the merits of the discussion: "password" is not the test in the federal statute."

There's a better reason: It's not germane to the decision, which was based on location.

"To me, there is not a necessary connection between "password" and "authorization." I think people can exceed their authorization if they start manipulating something that is naturally not done. I don't see why he needed to break a password to "exceed authorization.""

Not naturally done? What an empty phrase for computer law! What a bizarre standard in general to appeal to nature!

You don't see it because you don't understand how computers work.

Is someone who decodes a message from a numbers station without the express permission of the CIA exceeding what's naturally done?

"so he obtained a sim card and made a fake ipad to confuse AT&T. I don't know if that is illegal or not. It certainly doesn't seem kosher. I got to think some TOS was violated, and it certainly seems fraudulent vis-a-vis AT&T."

1) TOS violations are not illegal.

2) I create different user agents all the time at work because I need to see how web pages render on different devices and browsers. It's, like, five clicks in Firefox.

3) AT&T was offering the service to people with iPad sims. It was a good deal. Had he not found the huge security flaw, they would have been happy to have him as a customer. The only way it's evil is if you assume that Ma Bell should own your phone as well as the line.
posted by klangklangston at 4:07 PM on April 11 [9 favorites]


"Brute force" there is also a term of art; he wrote an algorithm to solve a problem of a large data set.

Yeah but this was not an abstract problem he was trying to solve.

I agree that what he did was probably not illegal under the act he was charged with.

But I think it was clearly wrong, and immoral. He knew the data he was accessing was not _supposed_ to be public. If someone accidentally dropped their medical papers and I walk by, there is nothing stopping me from reading their personal information, sure. But that doesn't mean I don't know its wrong to.

Just because you can do something, doesn't mean you should. Once he realized the exploit, the right thing to do was contact AT&T and not keep any copies of the data or pass it on to anyone.
posted by wildcrdj at 4:21 PM on April 11


You'll get no argument from me on that score. This case is a problem because it could set a bad precedent, not because Weev is being horribly persecuted for minding his own business.
posted by Holy Zarquon's Singing Fish at 4:28 PM on April 11 [3 favorites]


Yeah, when I see comments like "He made a request to a public web server, and it responded" -- I mean, that's true, and from the perspective of the strict technical/legal argument it makes sense, but it strips the context in a way that is troubling to me.

Because he (Weev) is not the only one who really does think that means its OK to access the data, that the lack of a lock or password or seal gives them the right to do this kind of thing. Not surprising to see what an asshole he appears to be in general.
posted by wildcrdj at 4:41 PM on April 11 [1 favorite]


It's not illegal to be an asshole

Jesus bloody Christ, that absolves anyone of anything. Well, ruining someone's life isn't illegal, so meh. As long as they're on the side of the law, right?
posted by quiet earth at 4:48 PM on April 11


Yes! If what he did isn't against the law, he shouldn't be in jail for it! That doesn't mean we like him, but that is literally what the rule of law means.
posted by Holy Zarquon's Singing Fish at 5:11 PM on April 11 [14 favorites]


dios: "It seems to show some desire to give approbation for hacking as if it is a good in and of itself."

It is good in and of itself. Discovering exploits is an essential and important part of having a secure world. Because of what happened with weev, everyone in the industry basically freaked out and went on lockdown. Before his case, it was assumed that uncovering an exploit and reporting it without intending to use it for harm and without using the information to steal money or hurt people was a good thing that would be accepted and people would be thankful. After what happened with weev, a whole lot of people suddenly had to face the fear that by doing their jobs - that is, by doing security research and looking for exploits in the wild - they would put themselves at risk of criminal prosecution. And that law, as the court interpreted it, would indeed mean they were criminals, would it not?

It is a terribly-written law. But interpreting "authorization" broadly turns it from a terribly-written law to a disastrous law which would ultimately make everyone less safe.
posted by koeselitz at 5:14 PM on April 11 [7 favorites]


But I think it was clearly wrong, and immoral. He knew the data he was accessing was not _supposed_ to be public. If someone accidentally dropped their medical papers and I walk by, there is nothing stopping me from reading their personal information, sure. But that doesn't mean I don't know its wrong to.
Alternative example:

1) You figure out your doctor's office has a system by which you can request a copy of medical records at the desk by giving the clerk your social security number, with no other checks.
2) You wonder how secure that is, so you ask the clerk for the records of the number changed from yours by one digit.
3) the clerk gives them to you also, without comment.
4) if they don't have a record for the number, he just doesn't give you any records.
5) you hire a guy to sit there all day and request random numbers, and take a copy of each of the medical records the clerk hands your guy.
6) After mulling over selling the records on, you hand them over to a reporter.

What steps do you want to make a criminal offence? Hiring a guy to ask the questions? (writing the slurper). Figuring out you could ask for records by SSN? Getting the wrong records if you give an incorrect social security number? Thinking about selling those records but not doing it?

If weev's conviction had stood, it would have been all of them.

There were a number of things that could have been done to stop Weev doing what he did, including not doing what they did, or securing that access properly in the first place, or even noting that the same IP was requesting multiple records.

Setting up a public webserver is not a trivial act, you're setting up a machine to automatically hand over information to all comers, no questions asked. You better be damn sure the information you hand out is what you meant to hand out, and to who. If it's not intended for public access, you shouldn't put it on your public website and just hope that nobody finds it, and prosecute anyone who does.

I just visited http://www.metafilter.com/admin mainly to see what would happen. I've no idea what is in there, but maybe there's a secret page that'd let me see all sorts of cool stuff!

It rightly kicked me out. That's no different from a technical perspective than what weev did, and I hope you think visiting or posting that link shouldn't result in several years of jail time for me.

Yes, weev is a massive asshole, and he should be spending plenty of time in jail for his illegal harrassment over the years. I'd be more than happy to see him behind bars for some of the shit he's pulled.

But he shouldn't be in jail for this, and the venue shopping was the cherry on top.
From a technical point of view, if this IS illegal and the conviction had stuck, then you could kiss goodbye to the vast majority of whitehat security research and testing in the US. Even a lot of tech diagnostics and other IT admin work becomes very tricky to do if you never know whether something that's publicly published and accessible to everyone easily was actually intended to be so; and if it wasn't, you're going to jail.

Responsible disclosure of security flaws is polite, but it takes all sorts, and people have a right to know how badly AT&T screwed up. It's not how I would have done it, but it shouldn't be worth jail time for it.
posted by ArkhanJG at 5:34 PM on April 11 [10 favorites]


He knew the data he was accessing was not _supposed_ to be public

Guess who else knew it wasn't supposed to be public? AT&T. I wonder why that name never comes up when talking about how even if laws don't say what happened was illegal the guy is a jerk so let's convict him of something already.
posted by rhizome at 6:05 PM on April 11 [5 favorites]


But I think it was clearly wrong, and immoral. He knew the data he was accessing was not _supposed_ to be public.

You've never changed the URL of a webpage to see if you could access the file directory or anything? Never?
posted by Justinian at 6:11 PM on April 11 [3 favorites]


dios: "But how it is their fault for this? That's like saying I am at fault for having my house robbed because, even though I thought I locked the door, I actually did not fully engage the deadbolt so it was easily opened by someone trying to get in, thereby making my furniture "publicly accessible." I am fascinated by that mindset.
"

Physical analogies are really tough for this kind of thing. This one is fatally flawed because you leave out the "port 80" sign in front of your house that says "take pictures of what ever you find behind any unlocked door". Serving web documents is the act of inviting people inside.

99_: "Wait, so everyone who supports this analogy thinks it's okay to poke around in areas that clearly don't belong to you because they are unlocked?"

There is obviously a spectrum here. At one end I'm not going to feel guilty at all if I read messages on a physical bulletin board that aren't specifically addressed to me. Even if they are specifically addressed to someone else. I don't feel guilty hiking privately held land that isn't posted no trespassing. I've been known to read personals in a newspaper addressed to someone else. AT&T is publishing this information. I've engaged in quite a bit of dumpster diving without guilt. If I came across a physical bulletin board with a thousand numbered unsealed envelopes individually thumb tacked to it I might open at few to see what they were about. And I've done quite a bit of urban exploring of both utility systems and nominally private abandoned structures.

valkyryn: "I see no reason why DOJ can't just retry the case in the federal district where Auernheimer maintains his permanent residence. I can't for the life of me see why his defense attorneys think this is a double jeopardy case. It's only double jeopardy if you are acquitted. No one has offered me any reason why this might not be the case, anyway."

I don't know if the law supports this but it is self evident to me that allowing the government to just keep retrying suspects even if they aren't technically acquitted is both bad and against the spirit of double jeopardy laws. Otherwise the limitless resources of the federal government could easily keep a defendant in court for the rest of their lives repeatedly retrying the case in different venues.

wildcrdj: "Yeah, when I see comments like "He made a request to a public web server, and it responded" -- I mean, that's true, and from the perspective of the strict technical/legal argument it makes sense, but it strips the context in a way that is troubling to me.

Because he (Weev) is not the only one who really does think that means its OK to access the data, that the lack of a lock or password or seal gives them the right to do this kind of thing. Not surprising to see what an asshole he appears to be in general.
"

Serving data on port 80 is publishing. The fact that what you are publishing is obscured by a firehose flow of other information doesn't make that information secret; it's still being published. Think of a URL as an internet equivalent of a dewey decimal number. Weev was just browsing the electronic "stacks".
posted by Mitheral at 6:43 PM on April 11 [4 favorites]


dios - I think the brick and mortar analogy would be that AT&T put everyone's personal information in unlocked numbered cubbies facing a public sidewalk and this weev guy got arrested for having the gall to look in the ones with a different number than his.

What, like a mailbox?
posted by Quart at 6:46 PM on April 11


Anyone not familiar with the methods of what he did here would do well to read this wiki page on fusker, and "fuskering".

This exact kind of "try a bunch of random numbers and see what works" was very popular with photobucket accounts. It wouldn't work on private photos, but almost no one used that feature.

It isn't hacking any more than having all but the last two digits of a phone number, and trying every possible combination until you find the person you were looking for... but also finding another number you'd want to have along the way.

As much as i dislike this guy, i just can't abide by calling this "hacking". It's on the same level as this, and is the type of thing i would have tried as a curious 12 year old with an internet connection. Prosecuting him for doing it screams sour grapes. The only way i even remotely agree with it is because of the pretty damning "lets sell all this info to spammers" thing, which they were too chickenshit to even do. It just sounds like convicting two kids who bought some illegal fireworks, and were drinking on the football field at night for trying to arson a highschool or something, if we're gonna do analogies.

I'm very curious as to whether someone as fired for not securing this info. Because if i was on the getting-prosecuted side of this sort of thing(which i honestly bet i was closer to than i'd like to think as a teen) i'd definitely bring that up. This wasn't just a door left unlocked, this was like putting the stuff out in the front yard. The cubby analogy is apt.

It actually, to make yet another analogy, reminds me of something that me and an idiot friend almost got in serious trouble for in high school. They fired the IT guy, and he left an extra school-owned laptop and a bunch of equipment out back near the garbage cans in a box. So me and my friend went through that box, outside of the school, near a garbage can, and took the laptop and a bunch of cool stuff.

The prosecuting side version of this story was that we went through a box of school property which wasn't supposed to be outside and stole stuff. Our side was that it was left as garbage.(i never returned the damn thing because they couldn't prove who did it, and that would be tacitly admitting guilt. i knew they wanted to slam me, god what a shit situation that was)

Which one sounds ridiculous when you really think about it? It gets even murkier when you consider that this isn't actually taking anything, in addition to not being "breaking in" to anything. This is the equivalent of taking a photo or making a sketch of a map of a building inside the lobby, after being directed to follow one corner of the map to figure out what elevator you needed to take. Then again, in 2014 that would probably be plotting terrorism, because why do you need the plans to a building unless you're going to blow it up?
posted by emptythought at 6:52 PM on April 11 [1 favorite]


I'm firmly of the opinion that the prosecutor shopped for a venue in this case to find a state law that was broad enough, and a jury pliant enough, to get a conviction.

The appeals court agrees with you. In fact it's even worse than you say, because the jury wasn't even instructed on the issue of venue, they were just told that it was proper -- all so the prosecution could get a five-year sentence with their shiny new CFAA laws. This is some serious King George III shit that shouldn't be tolerated.
posted by RobotVoodooPower at 7:31 PM on April 11 [1 favorite]


As long as we're on the analogy train, it's like knocking on all the doors in the neighborhood until someone lets you in, then they want you arrested because you saw all their homemade porn lying around.
posted by klangklangston at 8:51 PM on April 11 [5 favorites]


wildcrdj: "But I think it was clearly wrong, and immoral. He knew the data he was accessing was not _supposed_ to be public. If someone accidentally dropped their medical papers and I walk by, there is nothing stopping me from reading their personal information, sure. But that doesn't mean I don't know its wrong to."

I think there's a great deal of confusion here about where the right and wrong lie in the case. You're talking about it as if looking at the data is inherently wrong. But if looking at data or personal information (nota bene: this was in fact not personal information, it was just email addresses and keycodes) is inherently wrong, then AT&T commits fraud on a daily basis, because they have to look at that information themselves. Just looking at it can't possibly be wrong.

What is wrong is using that information for evil. If you end up seeing my social security number, either because you happen to glance at it accidentally or because I show it to you, you have done nothing wrong. But if you proceed to use my social security to steal my identity or empty my bank account, then you've crossed over into harming me, and you have committed a wrong.

This isn't just a bit of moral reasoning; it applies directly to the real world. This is how Internet security works: flaws, bugs, and mistakes are very often discovered by someone in the public.

This is how Internet security researchers (and plain old good-hearted engineers and programmers) do it: they go to a website for whatever reason - let's say it's metafilter.com - and they notice that the login page is loading really quickly, which makes them suspicious. So they say, "hm - I wonder if it's really validating my password?" They try a bunch of passwords and usernames, and it turns out anyone can log into any account no matter what. "This is terrible!" they say to themselves, and they send an email along to the site administrator, pb, telling him about the bug and telling him he should fix it.

Did this person in the scenario I described above do anything wrong? By your argument, she did - when she accessed another account that she wasn't supposed to. I guess you mig say that she should have just emailed pb right away when she noticed that the login loaded way too fast; but if people did that, pb would be wading through emails all day long.

What was needed was a little bit of "hacking" - a little bit of poking the machine to see if it works, after which the bug gets reported to the right people. As someone who works with databases all day, this is how computer stuff really has to work. People who encounter bugs must test a bit and examine what they've found in order at least to verify that the bug really exists.

There is nothing wrong with that. And it absolutely shouldn't be criminal to do so.
posted by koeselitz at 11:14 PM on April 11 [5 favorites]


So if we accept all the various analogies about reading bulletin boards, open cubbies, etc., how then to we set the analogy of what they did with the information once it was obtained? If I find someone's tax returns on the sidewalk and then IM a friend about selling the info to a third party, doesn't that speak to intent to misuse information that is clearly not mine?

Maybe it's not clear to everyone on this thread, but if you find something in a public place and you can readily identify it as the private property of someone else you are not allowed to do what ever you feel with the information.
posted by 99_ at 12:28 PM on April 12


Yes! If what he did isn't against the law, he shouldn't be in jail for it! That doesn't mean we like him, but that is literally what the rule of law means.
posted by Holy Zarquon's Singing Fish at 5:11 PM on April 11 [9 favorites +] [!]


Oh, so stalking people, harassing them for years, and breaking into their private computer systems is legal or ethical? We don't really care about the "ethical" part, do we? I'm not talking about his current charge, which was ridiculous. I'm talking about harassment in general. If anyone here can honestly defend the way certain people have had their lives interfered with by people with ill intent, and if it's perfectly okay that there is absolutely nothing we can do about it, then go to hell. I've encountered people much more dangerous than a random jerk on the street. It's not asshole behaviour. It's deranged sociopath behaviour.
posted by quiet earth at 12:50 PM on April 12


He was not convicted of any of those things. He may still be. Judging from the reports, he should be. But no amount of bad conduct justifies throwing him in jail for breaking one of the laws he didn't break. Upholding a bad conviction creates precedent that makes everyone less safe, regardless of whether the defendant is a saint or a Satan.

TLDR: Hard cases make bad law.

TLDR 2: The "give the Devil the benefit of law" scene from "A Man For All Seasons."
posted by Holy Zarquon's Singing Fish at 1:01 PM on April 12 [2 favorites]


99_: "So if we accept all the various analogies about reading bulletin boards, open cubbies, etc., how then to we set the analogy of what they did with the information once it was obtained? If I find someone's tax returns on the sidewalk and then IM a friend about selling the info to a third party, doesn't that speak to intent to misuse information that is clearly not mine? ¶ Maybe it's not clear to everyone on this thread, but if you find something in a public place and you can readily identify it as the private property of someone else you are not allowed to do what ever you feel with the information."

You're describing the situation very selectively, so I'm not sure you understand what happened.

This case is like this: I got the information, then IM'd with a friend and said "holy crap, this is a big deal - I could probably sell this for thousands of dollars!" - and then I logged off, told a reporter about the leak and showed them the file, and then reported it to the people in charge.

The essential fact is that weev easily could have sold the data. It would not have been hard. And he clearly turned it over in his mind. But I've turned lots of illegal things over in my mind; what matters is that I didn't do them.

weev discovered the information, talked about it with friends, showed it to a reporter, and then notified AT&T. We can argue about whether he did that in the right order, but it's pretty clear that that's roughly the path almost anyone has to take when encountering a big lapse like this.
posted by koeselitz at 1:04 PM on April 12


Never mind, wrong thread.
posted by happyroach at 1:17 PM on April 12


Oh, so stalking people, harassing them for years, and breaking into their private computer systems is legal or ethical? We don't really care about the "ethical" part, do we? I'm not talking about his current charge,

But that is what the thread is about, and that is what Holy Zarquon was addressing. You aren't really arguing that convicting and jailing weev for something he didn't actually do is a righteous and ethical use of the legal system because he *did* likely break other laws and be an asshole to people, are you?
posted by rtha at 1:56 PM on April 12 [1 favorite]


So if we accept all the various analogies about reading bulletin boards, open cubbies, etc., how then to we set the analogy of what they did with the information once it was obtained? If I find someone's tax returns on the sidewalk and then IM a friend about selling the info to a third party, doesn't that speak to intent to misuse information that is clearly not mine?

Except he only talked about that stuff, and never did it. If talking about doing something illegal was illegal, every teenager would be in jail.

And this obviously isn't the same as when the FBI sets someone up trying to buy bomb making materials or a hitman or whatever. He essentially went "heh, we could do this shitty thing" and then went to the media and the company and did essentially, the right thing. Then they tried to get him in trouble for basically laughing at them with their pants down.
posted by emptythought at 2:26 PM on April 12


And this obviously isn't the same as when the FBI sets someone up trying to buy bomb making materials or a hitman or whatever. He essentially went "heh, we could do this shitty thing" and then went to the media and the company and did essentially, the right thing. Then they tried to get him in trouble for basically laughing at them with their pants down.

He exploited an observably bad and/or lazy programming practice, culled information he was clear from the very first instance of the error did not belong to him, and then contacted a third party and speculated on the value of the information to other third parties.

But it was still not his information to determine what to do with it. Because he found it, he isn't an arbiter of what he can do with it. It is still someone else's property. You can legally leave your property in a public place, unsecured (say, a bike) and people still can't take it.

Because there's a strand of anarchism in the 'information is free' notion, it doesn't mean your ideological predisposition will carry the day, or that the technical aspects of the case at hand presume a linear outcome to support your ideology. My point is only that people keep drawing analogies to real world actions, almost all of which are clearly illegal (see upthread the person who thinks you can knowingly provide false SS#'s to obtain another person's medical records and that you wouldn't be charged with a crime if the person providing the records did what you think is a poor job of validating your ID). Arguing that 'publishing on Port 80' is an absolute act and anyone who receives information and acts independently using as their primary (or only) defence "Well you should have known better" is just insuring we are going to get even more tortured legislation that what we have in place.
posted by 99_ at 2:59 PM on April 12


99_: "He exploited an observably bad and/or lazy programming practice, culled information he was clear from the very first instance of the error did not belong to him, and then contacted a third party and speculated on the value of the information to other third parties."

All of which are not only defensible but morally obligated in a world where computer security is important. Yes, I am saying weev was morally obligated to do what he did. If you see fucked up programming practice with disastrous results in the wild, you must document it, and you must report it. That is what weev did. And I don't give a crap what he talked about with his friends; I care what he did.
posted by koeselitz at 3:14 PM on April 12


Context:we are talking about a release of email addresses, not state secrets.

In that context a calculated developers risk: What's the worst that happens? We give someone a list of emails. I'd take it and I only marginally dislike my employer. it's not like the URL was left lying around. While clearly not of a level to thwart determined hackers there was a small effort made to keep out random traffic.

It's Friday, all you needed to get done this week besides eight meetings is crank out that piece that puts the email in the sign-in box. You have a unique ID and are checking that you have a agent string and have buried this information in code that will be encrypted.

You will have yourself a nice weekend despite being some sort of asshole who will work at AT&T and is able to leverage ths business systems and websites without a monsterous code review. In a few years time people will be calling for your head.

Perhaps the you in this case is a collective; the collective is rarely smarter, just more rule-bound.

In the meantime every system operator that ever asked for your email address such as, oh, this site or Amazon has even easier to use unique identifiers that tell them the same thing. Also Snowden.

Was where weev went super-protected? No, just enough to be legally within scope. Did he go in with intent to further a crime? Only outlaws SPAM from shady lists, right? Intent differs murder from homicide.

All laws with punitive elements are based in deterrence through asymmetry: you are to be frightened off by a prospect because it isn't worth it. When you are small potatoes nobody thinks you'll care. Like the anonymous marginally lazy engineer, weev should have known better and thought he was obscure enough the law would not see.

Surprise! all around.

The law is not tailored enough and thats the meat of it. Sixty days for dickmove and another ten for thinking you are a special snowflake and on your way reminded better for next time. At least pick classier shaming channels. The law is instead blind and weev provides a deterrent spectacle: this is why we leave some data alone.
posted by Ogre Lawless at 6:39 AM on April 13


You can legally leave your property in a public place, unsecured (say, a bike) and people still can't take it.

So, to provide an example of an actual thing that happened, when I found $90 in cash on the floor of my local grocery store and gave it to the manager, who may or may not have just kept it for himself, who broke what laws? Please be specific. Bonus points for citations of convictions.

At the end of the day, the argument for convicting Weev on these counts seems to be that anything not explicitly hyperlinked from some discoverable public page is (or should be) illegal to access. Is that a reasonable interpretation?

If talking about doing something illegal was illegal, every teenager would be in jail.

Not to mention countless rappers, and Ted Nugent.
posted by rhizome at 12:34 AM on April 14


So, to provide an example of an actual thing that happened, when I found $90 in cash on the floor of my local grocery store and gave it to the manager, who may or may not have just kept it for himself, who broke what laws? Please be specific. Bonus points for citations of convictions.

Since your Google is broke, I am going to need your location. But your example doesn't actually correlate to the situation -- the more accurate corollary is: you find $90 in a grocery store and give to someone outside the store that isn't a law enforcement official (you can say 'reporter' if it makes you feel better, but since it's real property, any sort of journalism defense is irrelevant) you are guilty of simple theft (like whatever is the lowest misdemeanor because of the value) and the third party of receiving stolen property. I would think the store owner is under the same obligation but they probably wouldn't be charged with theft for keeping the money on site provided they made a good faith effort to advertise it was lost, but it was unclaimed then they would be required to surrender it to the police. If you just kept it in your pocket for a couple weeks, I don't think you would get the same benefit of a doubt vis a vis trying to find the rightful owner.

Most people simply don't believe because it seems to defy common sense, or 3rd grade ethics (Finders Keepers!), but unless you can ascertain to a high degree of certainty that property is abandoned, you can't claim it. Money is very hard to verify as abandoned. You can turn money into the police and they will voucher it. After a period of time, you can claim it, once it's been declared abandoned.

Because there have been a couple hundred years of odd events and other kinds of malfeasance, property law to the smallest degree is highly specific, and there is very little allowance for just keeping stuff you find.
posted by 99_ at 11:51 AM on April 14


you find $90 in a grocery store and give to someone outside the store that isn't a law enforcement official (you can say 'reporter' if it makes you feel better, but since it's real property, any sort of journalism defense is irrelevant) you are guilty of simple theft

OK, but I guess now I'm unclear how this spatial conceptualization maps to web servers.
posted by rhizome at 12:48 PM on April 14 [1 favorite]


"Since your Google is broke, I am going to need your location. But your example doesn't actually correlate to the situation -- the more accurate corollary is: you find $90 in a grocery store and give to someone outside the store that isn't a law enforcement official (you can say 'reporter' if it makes you feel better, but since it's real property, any sort of journalism defense is irrelevant) you are guilty of simple theft (like whatever is the lowest misdemeanor because of the value) and the third party of receiving stolen property."

That's not true in most jurisdictions. Unless you have a reason to believe that the money was stolen in the first place, the test is generally that you find the property in 1) a place likely not intended by the property owner; and 2) that the property owner would be unlikely to return to the spot where the property was found. (Likewise, it seems weird to quibble about law enforcement officials — the store representative isn't one, but in most cases that person [if the original owner is likely to return for the property] is the appropriate one to pass the property on to.)

In Michigan, where I'm from (since I don't know California law on this, let alone municipal), the law is that you have to report any found valuables to the police, but not turn said valuables over unless the legitimate owner can be located within a set period of time (I think 90 days, but don't remember). I've found wallets and turned 'em over to the police or other folks; I've found a $20 on the street and kept it. Both were legal.
posted by klangklangston at 1:05 PM on April 14


Since cash is pretty anonymous, bills on the ground probably put you in clear -- though it's going to depend on location. But I'd be curious about what the standard of 'unlikely to return' (how long should money be left unattended in a public place before assuming the owner wouldn't retrace their steps)?

CA 485. One who finds lost property under circumstances which give him knowledge of or means of inquiry as to the true owner, and who appropriates such property to his own use, or to the use of another person not entitled thereto, without first making reasonable and just efforts to find the owner and to restore the property to him, is guilty of theft.


OK, but I guess now I'm unclear how this spatial conceptualization maps to web servers.


Was it ever unclear who owned the servers?

But to my point above: regardless of the current state of privacy/hacking/etc., most attempts to create 'read world' analogies that attempt to mitigate the sense that what weev did was theft aren't going to work because it's pretty hard to just find something and keep it in the real world based on existing laws.
posted by 99_ at 1:18 PM on April 14


It's also hard because weev didn't remove that data and not leave it for anyone else to use or find. It was all still there, unlike a bicycle removed without the owner's consent, or dropped cash in a grocery store aisle.

Across the street from our house is a sound barrier, because there's a freeway right there. That side of the street is pretty popular with illegal dumpers - they don't want to pay the fees at the dump to get rid of their old washing machines or buckets of paint or carpeting. I come out of the house at least once a week and somewhere on the block is a pile of dumped stuff. Can I take it?

One day a few weeks ago, I came home from work and parked the car and noticed a pile of stuff next to the wall kind of in the bushes and kind of on the walkway - it was five or six backpacks, all in pretty good shape. I poked at a couple of them and saw that they had notebooks (the paper kind) and charging cords and pens, and one a luggage tag that seemed to indicate the owner was from China, and worked for a Chinese company. Can I take any of them?*


*What I did was call the dispatch number of the sheriff's station at the hospital right up the block, and they sent a deputy in about a minute to catalogue the stuff and take it....somewhere. I don't know if the owners were ever found, or if the deputies every tried to find them.
posted by rtha at 2:18 PM on April 14


Look, if you want to troll someone, troll your local council, or statehouse. I'm not the one who made the laws regarding property. I'm sure you can find a thread about adverse possession and lots of heated, uniformed analogies and justification there as well.

I'm not positing an opinion about whether or not the laws are reasonable or sensible. I'm just pointing out that people very commonly misunderstand private properly because the majority of their understanding starts and stops at 'finders keepers' and 'possession is 9/10ths' neither of which are really true, and if you want to make an argument or analogy, starting with 'well what if I just found a binder marked private in an AT&T store' is not going to garner you much sympathy in the eyes of the law.
posted by 99_ at 2:53 PM on April 14


It is really silly to label data which is not intended for sale as a product "property." Its procurement is not "theft;" it is invasion of privacy, or (more often) violation of a more defined-down computer crime. It more or less makes sense that, when I am selling copies of a file (a book, a song, etc) and someone procures them for free, we might call that "theft." But if data transfer in and of itself is always transfer of property, then this has massive and major legal ramifications.

You say you're just pointing out the law. Can you point to any case law whatsoever where a data breach was treated as simple theft?

And if so: that is a massive problem. Because it's unjust.
posted by koeselitz at 3:16 PM on April 14


- not because "information is free" or some such silliness, but because that would have terrifying and disastrous real-world repercussions.
posted by koeselitz at 3:17 PM on April 14


I note that even in this case, AT&T itself made no arguments whatsoever based on property law or theft. I appreciate that people have a shoddy sense of the legal importance of property rights, and I might even agree that that has some place in discussions of music and movie piracy, but this is a wholly different sort of case.
posted by koeselitz at 3:20 PM on April 14


Look, if you want to troll someone, troll your local council, or statehouse.

This isn't what I'm doing, but thanks for the bullshit assumption.
posted by rtha at 3:32 PM on April 14


But to my point above: regardless of the current state of privacy/hacking/etc., most attempts to create 'read world' analogies that attempt to mitigate the sense that what weev did was theft aren't going to work because it's pretty hard to just find something and keep it in the real world based on existing laws.

Well, then it's probably not a good idea to build an argument upon it:
But it was still not his information to determine what to do with it. Because he found it, he isn't an arbiter of what he can do with it. It is still someone else's property. You can legally leave your property in a public place, unsecured (say, a bike) and people still can't take it.
You can't have it both ways.
posted by rhizome at 3:46 PM on April 14


rtha: sorry. Here are your details. What gets called trash is something one could dispute:

2080. Any person who finds a thing lost is not bound to take charge of it, unless the person is otherwise required to do so by contract or law, but when the person does take charge of it he or she is thenceforward a depositary for the owner, with the rights and obligations of a depositary for hire. Any person or any public or private entity that finds and takes possession of any money, goods, things in action, or other personal property, or saves any domestic animal from harm, neglect, drowning, or starvation, shall, within a reasonable time, inform the owner, if known, and make restitution without compensation, except a reasonable charge for saving and taking care of the property. Any person who takes possession of a live domestic animal shall provide for humane treatment of the animal.

2080.1. (a) If the owner is unknown or has not claimed the property, the person saving or finding the property shall, if the property is of the value of one hundred dollars ($100) or more, within a reasonable time turn the property over to the police department of the city or city and county, if found therein, or to the sheriff's department of the county if found outside of city limits, and shall make an affidavit, stating when and where he or she found or saved the property, particularly describing it. If the property was saved, the affidavit shall state:

(1) From what and how it was saved.

(2) Whether the owner of the property is known to the affiant.

(3) That the affiant has not secreted, withheld, or disposed of any part of the property.

(b) The police department or the sheriff's department shall notify the owner, if his or her identity is reasonably ascertainable, that it possesses the property and where it may be claimed. The police department or sheriff's department may require payment by the owner of a reasonable charge to defray costs of storage and care of the property.

posted by 99_ at 4:09 PM on April 14


This Infamous Hacker Went to Prison for Trolling AT&T. Now He Wants to Troll Wall Street.
posted by homunculus at 2:43 PM on April 23


« Older The Persian Version...  |  Writer David Dickerson tells t... Newer »


This thread has been archived and is closed to new comments