[davesims]

"Do you want 10 years to be the normal sentence (or even the prosecutors threat) for crawling URLs and reporting the privacy breaching results to the news media?"

This is such a sanitized version. I'm open to being corrected here, but afaik the 'crawling' in question was done by a script written and refined for the expressed purpose of harvesting data, with intent to cause material economic harm to AT&T, which they did. They sat on the vulnerability for days while discussing at length how to perform the 'report' in such a way as to cause the most negative effect.

They knew full well what they were doing was illegal and were afraid of being caught and discussed it.

Let's state it again in a less-sanitized fashion: They found a vulnerability, did not report it, exploited the vulnerability and stole data with the stated intent to cause material harm and/or sell said data, and actually brought about said economic harm.

People defending weev are making it sound like some guy tweaked a value in his browser url bar, ran to AT&T and said 'look what I found', and had his home promptly raided. Hence the ridiculous top comment on slashdot, "America has lost its fucking mind."

Let us not, as the hacker community, lose ours over this. What weev did was malicious and illegal and harmful and if we appear to defend him I'm afraid we undermine the cause of Aaron's case and the possibility of curtailing real prosecutorial aggresion. I really don't think it was the case at all with weev.

[josephlord]

I said crawling URLs not tweaking address bars (implying scripted mass process). The other point is that the sentence in this case whether reasonable for other reasons or not will be a reference point for future prosecutions against less unlikeable people.

Legally in the US there seems to be very little protection for privacy (unlike copyright) whereas in the UK Sony has just been fined £250K for failing to adequately secure personal data (PSN hack).

Should this person have collected more than 100K email addresses? - NO.

Should they have blown the whistle or reported it straight away? - YES

Were they criminal? Probably just about.

Does what they joked about matter? No unless they actually tried to do it.

Does the fact that they wanted to harm AT&T matter? Not much for me, AT&T harmed themselves and while discoverers of the flaw could mitigate AT&T's harm and these guys chose not to for me that doesn't turn it into a crime although possible does suggest additional sentencing is appropriate.

Is 10 years an appropriate sentence for accessing information that legally had less legal protection than copyright works? Definitely not in my view.

[davesims]

It's 10 years max, and no that doesn't seem disproportionate to me at all, given that you have stated malicious intent and actual material harm. I can think of white-collar crimes that have similar effect (dumping stock, insider info) that carry bigger max sentences.

I also completely disagree that AT&T 'harmed themselves'. This to me is grey-hat rationalizing/hand-washing. "It's not my fault that your security sucks. I just, you know, exploited it, harvested hundreds of thousands of emails, highlighted the most important executive and government official emails and released them in as public a manner as possible, potentially causing hundreds of thousands or even millions of dollars worth of economic damage and loss of reputation."

Sorry, to me a max 10 years is light, compared to the kinds of white-collar sentences we've seen for stuff like insider trading. They stole the data. They sat on it. They tried to release it in such a way as to cause harm, and the potential dollar-value risk for AT&T and all their employees was huge. Think of the massive hit RSA took when their data was stolen. It doesn't matter how "easy" the hack was: what matters is intent, action and effect. All three, to me, are clear-cut here. I don't see how weev could expect any different outcome.