[zmanji]

If anyone thinks weev deserves any sympathy, you don't know the full story. weev had malicious intent and wanted to harm AT&T by exposing users data. Instead of doing anything remotely rational he took all the data and wanted to sell it.

Laws take into account indent (mens rea) and there is a lot of evidence in his indictment that he wanted to profit off this act. He shouldn't be compared to Aaron Swartz

[rdl]

I know weev personally. He's "an unsympathetic defendant", and probably the 9th level Internet Troll, but his goal was fundamentally speech -- he wanted to draw a lot of attention to the issue, and embarrass ATT (hopefully enough that they'd stop being such fuckups about security), etc.

He wasn't trying to profit from this. If that had been his goal, he would have been a lot more stealthy.

It's arguable that he had "cleaner" motives in his act than aaronsw -- some people say aaronsw wanted to release all the files he recovered to the Internet (although there's no proof of that); weev just wanted ATT to suck less.

weev has said things far worse than what's alleged in this case (that they wanted to compile a list and direct market the users); yet, if you judge him by what he's actually done, he's just an asshole at times, but basically reasonable. Fortunately just being an ass isn't a federal crime (although I guess conspiracy to be an ass is).

[subsystem]

Being an "an unsympathetic defendant" frankly makes it even more important to support him. One of the worst things with these out of proportion indictments/sentences is that they leave too much room for other factors, which can turn into things like political repression.

[aneth4]

So he committed a crime and wrote words that characterize the intent behind crime in such a way as to increase prosecutorial interest and sentencing. Now you are saying he was just joking around when he said those things?

Perhaps it's true, but it's stupid and it's hard for me imagine anyone taking that explanation seriously, certainly prosecutors and judges.

If you walk into a bank with a gun and ask the teller for money, then say "just kidding", .... Good luck.

[rdl]

Yes, weev is an idiot. Yes, weev is abrasive. Fortunately neither of those are themselves crimes.

Weev has always taken anything and turned it into drama. That's the whole Internet Troll thing. A normal defendant wouldn't, when faced with a chance to reduce his sentence by 1-3 years by "accepting responsibility", post something like this to the press. It basically screams "upward departure" to a judge, while at the same time rallying people on the Internet, which doesn't really mean so much inside a federal ass-rape prison.

[aneth4]

There is a difference between being abrasive and openly declaring unlawful intent. While the latter is not (always) illegal, it is a legitimate factor for prosecutorial discretion and sentencing.

[rsingel]

Where was he openly declaring unlawful intent? The court transcript is on the web.

[zyb09]

Yeah but prison time, followed by secret service, not allowed to use computers, not allowed to take jobs... for what, compiling a list of email addresses that an public API was happily returning to him? Despite his questionable handling of the situation, I don't support that kind of draconian punishment.

[ghshephard]

Agreed - I can despise his behavior, and how he handled this situation, but at the same time say what he did should not be considered a felony, and, based on what I read on the ArsTechnica article, it's not even clear if I feel like it's criminal.

[gilgoomesh]

I think it should be illegal to commercially exploit personally identifying information if it is obviously not published intentionally or with permission. If my personal details were accidentally leaked, I'd prefer every law abiding company didn't suddenly use this information to focus me in their spam cannon sights.

Whether this should be a felony should relate to how conspiratorial the intent and whether there's a reasonable expectation that the persons whose information is involved will be affected. It does sound like weev was doing something that would screw the AT&T customers involved -- a pretty nasty move.

[tankenmate]

If this were the case there would be a large number of corporate executives behind bars tonight. The biggest problem as I see it is that there is one rule for well heeled, connected, corporate types and another for poor, zany, out there types. What happened to all created equal and justice for all?

[jamesaguilar]

"That guy got life in prison all for moving a knife about two feet in a certain direction! The system is corrupt!"

I wish people could be a little more honest in the way they describe computer crimes. He knew or should have known that that api was not meant for public use. He is being punished for using it despite this knowledge.

[rsingel]

So even though he didn't do anything illegal with the data, you think it is criminal that he didn't obey some unwritten rule about using an API in that way? If I wrote a script to scrape 10 million e-mail addresses from usenet, am I a felon because usenet isn't supposed to be used that way? What if I just want to analyze the patterns or show the world how easy it is to scrape?

[jamesaguilar]

Seems to be a little more of a gray area, considering using is a service that IS publicly available and labelled as such. I don't find the two to be analogous, if that is what you are asking.

[redthrowaway]

You aren't seriously equating wrapping curl in a for loop to murder, are you?

[jamesaguilar]

Why do you even ask that. Isn't it obvious from my post that I'm pointing out that overly charitable wordings are misleading? Do you honestly believe that someone could have the mental capacity to enter words into this site and be unable to perceive the distinction between these two crimes? Or were you just trying to score a cheap rhetorical point by intentionally misreading me?

And again, of wasn't just wrapping curl in a for loop. It was doing that with the knowledge that the target was not meant to be public, storing that information, and sharing it with the media.

Also, it wasn't murder, it was assault with a deadly weapon. The victim went on to make a full recovery but it was the defendant's third strike.

[redthrowaway]

>It was doing that with the knowledge that the target was not meant to be public

AT&T's intent isn't really relevant. The fact is, they published all of those emails publicly. They certainly didn't mean to, but I fail to see how accessing public websites can be considered a crime, even if you access lots of them when the company doesn't want you to. If I forget to close my blinds before having sex, that doesn't make anyone who walks by on the street and sees me a criminal. Nor are they criminals if they take a picture and post it on reddit. It's your job not to expose that material publicly if you want it to be private.

>storing that information, and sharing it with the media.

Neither of these are acts that should be considered criminal, just as the storing and uploading to reddit of an embarrassing photo is not criminal. Would it still have been criminal if he had passed the bash one-liner to the media, instead? What's the difference? The responsibility for the leak still resides with AT&T, and them alone.

Now, none of this is to say that I condone of weev's actions. I certainly would have handled the situation differently. But being rude and being a criminal are not synonymous.

[mpyne]

> AT&T's intent isn't really relevant. The fact is, they published all of those emails publicly. They certainly didn't mean to, but I fail to see how accessing public websites can be considered a crime, even if you access lots of them when the company doesn't want you to.

In the meatspace it happens all the time that you can get in trouble for being somewhere you're not supposed to even if they forgot to hit the locks on the way out.

Or for a possibly more relevant example, what happens in real life if you find an ATM that has an error such that it gives you twice as much cash as you asked for? Is it still theft if you take it? (Hint: Yes)

Should that equate to a felony here, where no authentication shenanigans were employed? I don't think so, but I wish we'd quit with the victim blaming here on HN.

I also wish we'd separate the enforcability of something from its morality or legality. There's many, many minor things wrong that people can do that even the current state can't hope to fully enforce, but that doesn't make it right, it makes it a fact of life. But if you do somehow get caught doing something that 99% of the rest manage to get away with, shame on you.

By the way, that ATM example wasn't made up: http://investorplace.com/2012/11/faulty-atm-gives-out-extra-... (the Bank opted not to try to find out which customers took the money, due to the difficulty with getting accurate evidence, not because it was right to take the money)

[jamesaguilar]

> AT&T's intent isn't really relevant.

That's definitely not legally true.

[dave1010uk]

I know it's a bit off topic but it's even simpler than that with bash expansion:

    wget http://example.com/?id={1..10}

[drcube]

If AT&T didn't want to publish their users' data publicly, they didn't have to. But they did. Anything done with that data after that point is 100% their fault.

[RyanZAG]

Seriously? That you actually believe his punishment fits the crime is incredibly saddening. If even the top voted comment on a site that understands the issue believes the punishment is appropriate, imagine the discussion in a law firm or in parliament. Anybody in the USA touching a computer will be in trouble soon. Can't wait for the next batch of laws.

[rayiner]

Punishing people for purposefully disclosing private information that is clearly not intended to be public is the path to "everyone touching a computer will be in trouble soon?" You act as if he was just playing around on his own computer minding his own business when the big bad government broke his door down.

In Texas, they don't convict homeowners who shoot trick or treaters trespassing on private property: http://wiki.answers.com/Q/In_Texas_can_you_shoot_someone_for....

Don't act so surprised and imposed upon that a culture that very much respects fences sees something wrong with intentionally poking your nose where it doesn't belong, online or offline.

[ghshephard]

Wasn't it just email addresses that he published? I'm all for protecting personal information, but I find it hard to believe it's a felony for collecting a list of email addresses.

[lawnchair_larry]

He didn't even publish it. He reported it to the media, so they saw it in order to verify, and he deleted the list.

[rayiner]

The crime in question was accessing a computer system in an unauthorized fashion to collect e-mail addresses.

Yes, the distinction is relevant. Taking photos of my wife in public and publishing them? Creepy but not illegal. Walking through my door (locked or unlocked, it doesn't matter) to take photos of my wife in my house? You're lucky if you don't get shot.

[deadairspace]

    The crime in question was accessing a computer system in an unauthorized fashion

Via a URL accessible to anybody? If I poke around on your website and find your /hiddenstuff directory, am I guilty of a crime?

[rayiner]

What good reason do you have to be poking around in my /hiddenstuff directory? If I leave my car door unlocked, do you take it as an invitation to look through my CD's?

[revelation]

Correct analogies help. Stuff in the internet doesn't just "exist", clients receive it by asking servers. So the analogy here would be a guy coming up to your door, asking for a photo of your wife. If you then hand it to him, and continue doing so as he keeps coming back for more photos, how can you claim it was unauthorized? You made the choice, after all!

[rayiner]

In your analogy, the only reason it's okay is the presumed consent that arises from my just handing you the pictures, and the fact that you can reasonably infer that I consent because I handed you the pictures.

You can't anthropomorphize the web server like that. You cannot say this guy reasonably inferred that AT&T intended him to have access to these e-mail addresses. It's a dumb piece of equipment--a broken door lock. An unlocked door does not mean you are invited to come in.

[ghshephard]

But, in this case - didn't he just spoof a user agent and toss fairly guessable CCID numbers?

Certainly hacking, and given that he doesn't work for, or is associated with AT&T - some type of criminal trespass - but, we're talking community service here, not a felony. Slap the hand, don't cut it off.

I would hope we can all agree that there is a pretty big difference between a pervasive attack where someone spear-phishes a user inside a company, plants a trojan, and uses that to acquire sensitive intellectual property for financial gain, and/or do damage - versus what weev did - trying some pretty obvious numbers on the public website with an iPad user agent.

[rayiner]

> Certainly hacking, and given that he doesn't work for, or is associated with AT&T - some type of criminal trespass - but, we're talking community service here, not a felony. Slap the hand, don't cut it off.

I agree, but he's not being charged with felonies for simply poking around. He's being charged with felonies for what he claims he was going to do with the information.

The defense seems to be that he wasn't actually going to do that, but it's the domain of the jury to decide his intentions based on his actions.

[jessaustin]

some type of criminal trespass

When you send packets to an internet-connected device, and that device sends some packets back to you, that is not "trespass". You haven't "gone" anywhere, and you certainly didn't cross any "property lines". Much in the way that the copyright mafia wants to redefine "piracy" from "murder and plunder on the high seas" to "listening to a friend's MP3", numerous other bad people will be thrilled when the public accepts "SYN,SYN-ACK,ACK" as a new meaning of "trespass".

[rsingel]

Remind me never to file a bug report to any company you work for.

[jessaustin]

In Texas, they don't convict homeowners who shoot trick or treaters trespassing on private property

Please clarify. Are you trying to say that there exists any justification for this idiotic Texanity? Because there isn't, and therefore you can't logically use it to justify this other unjustifiable thing.

Also, sending packets to an internet-connected device, and then reading the packets it sends back to you, is in no sense "trespassing". Trespass is being physically present in a physical location in which you aren't welcome. You can't trespass while you're physically in your mother's basement. Please don't mangle the English language.

[rdl]

For the purpose of federal sentencing guidelines, this doesn't count as "acceptance of responsibility", right?

[runn1ng]

More information about the case from ars technica, that supports your story

http://arstechnica.com/apple/2011/01/goatse-security-trolls-...

[greenyoda]

I don't approve of his motives or actions either, but still, it seems that spending years in jail is a disproportionate punishment for the amount of harm he may have caused AT&T or its customers. This article says that they had second thoughts about how smart their plans actually were and ended up deleting the data rather than selling it to anybody. And it's doubtful that their actions had any lasting effect on the stock price of AT&T - data leaks are a fairly frequent occurrence among large corporations.

[DoubleMalt]

The intent is immaterial if the actions are not against the law.

If accessing published information (and incrementing a number in an url cannot be considered breaking in ...) is against the law, there is something terribly wrong with the law.

That said if he tried to use the data to extort money from AT&T that would of course be a criminal offense (even if the "intent" was robinhoodian).

To illustrate with an analogy: If someone takes a picture of a hapless drunk girl dancing topless in a bar (AT&T), that is not criminal. If this person approaches the girl and asks for money to delete the incriminating pictures, that is extortion. If the person sells the picture to an interested third party, this might constitute the case for a civil lawsuit (see the texxxan case...)

In any case no special laws are needed for judging behaviour in the virtual world.

[lawnchair_larry]

There is no indication he wanted to sell it. He wanted to embarrass AT&T, and that isn't a crime. Changing the number in a URL is not identity fraud.

This is exactly the same thing that was thrown at Aaron, even if you don't find the target as sympathetic.

"He that would make his own liberty secure, must guard even his enemy from oppression; for if he violates this duty, he establishes a precedent that will reach to himself." -Thomas Paine

[whyenot]

That does not appear to be true. From the Ars Technica article on the case:

"Auernheimer then helped Spitler refine his script to harvest a large number of valid e-mail addresses of iPad 3G users, suggesting that a huge data set would be needed to "direct market iPad accessories" or start a "future massive phishing operation," noting that the data breach would be "huge media news."

[lawnchair_larry]

That is a joke. He is a troll. He makes satire videos and makes statements like that left and right. His security company was called "goatse security" and it was an ASCII picture of an anus.

This might be offensive, juvenile, or unfunny, but it's nothing remotely close to criminal. The feds took a private IRC log out of context and pasted it into the indictment.

This is not what the prison system exists for, and we are all worse off for using it this way.

[mootothemax]

If what he says is a joke, and he's a troll, then he's also an unreliable witness. Hence why a trial is unnecessary to find out the truth? Because how can one know that he's telling he real story now?

Really, if you confess to a crime, and then turn around and say "ha ha, only kidding!" don't be surprised if people find it hard to trust anything you say.

Note: I'm taking what you've said here at face value and otherwise know very little about this case.

[greenyoda]

But that article then goes on to say that they eventually chickened out and deleted the data without having sold it to anyone.

[rsingel]

Weev direct marketing iPad accessories? That's the funniest thing I've ever heard. Go read the IRC transcripts. It's so clearly a joke.

[gokhan]

Yeah yeah. He should "man up" or something like that. Those bastard hackers, self declared trolls, activists and stuff...

Do you guys always know the full story behind the news and comment accordingly? If you do based on the articles you read around, I want to remind you that in Aaron's case what you could read about the case was less than half the truth and there are still things we're not sure.

[yardie]

Well, go on.

Unless you know something everyone else doesn't then what is published about the Schwarz case is on the record and in the books. So you're saying that the prosecutors were correct in the charges they brought?

[guard-of-terra]

So what? The reaction suggests that the next time he will pastebin his next hack all right. Is this what we as a society want?

[fleitz]

Absolutely not, he should have checked with a lawyer first about how to accomplish his objectives within the framework of the law. Then he would not be in jail but instead making lots of money.

It's really not that hard to compile a list of email addresses from a public API in a way that doesn't violate the law.

[guard-of-terra]

That's a nice idea actually. We should have this "I have found a vulnerability, now what" kind of lawyer service around.

[pcl]

Laws take into account indent (mens rea)

That should be "intent", fyi. Legal code is not nearly as whitespace-sensitive as is Python.

[Centigonal]

One time, I indented my code with five spaces instead of four.

I did this because I despised Guido van Rossum, whom I think is unjustly beardy[1], and wanted to embarass him.

I was convicted of two consecutive five-year felonies, and am now awaiting sentencing.

[1] https://dl.dropbox.com/u/14204175/screencaps/AwesomeRossum.j...

[pprd]

People that describe themselves as trolls are generally bigoted idiots and I feel no sympathy. I'm sorry if that's a stereotype but I can't help myself, the internet hasn't been nice to me.

[Centigonal]

Whether they're bigoted or idiotic shouldn't affect how the law affects them, though. If the person committing this crime was a nice, inoffensive guy, would the law remain justified?

[pprd]

The law should treat both of them exactly the same. But if he was nice and unoffensive, I would go out of my way to help him.

[rsingel]

May we see some proof of the full story. There's nothing to that effect in the IRC logs other than some jokes about how the data is valuable and how they could sell iPad accessories. As if. What did he do? Wrote a bunch of journalists to get press and then deleted the data.

[jcromartie]

If anything, he didn't want to sell the data, he wanted to sell the story.