Hacker News new | ask | show | jobs
by josephlord 4889 days ago
I said crawling URLs not tweaking address bars (implying scripted mass process). The other point is that the sentence in this case whether reasonable for other reasons or not will be a reference point for future prosecutions against less unlikeable people.

Legally in the US there seems to be very little protection for privacy (unlike copyright) whereas in the UK Sony has just been fined £250K for failing to adequately secure personal data (PSN hack).

Should this person have collected more than 100K email addresses? - NO.

Should they have blown the whistle or reported it straight away? - YES

Were they criminal? Probably just about.

Does what they joked about matter? No unless they actually tried to do it.

Does the fact that they wanted to harm AT&T matter? Not much for me, AT&T harmed themselves and while discoverers of the flaw could mitigate AT&T's harm and these guys chose not to for me that doesn't turn it into a crime although possible does suggest additional sentencing is appropriate.

Is 10 years an appropriate sentence for accessing information that legally had less legal protection than copyright works? Definitely not in my view.
1 comments
davesims 4889 days ago
It's 10 years max, and no that doesn't seem disproportionate to me at all, given that you have stated malicious intent and actual material harm. I can think of white-collar crimes that have similar effect (dumping stock, insider info) that carry bigger max sentences.

I also completely disagree that AT&T 'harmed themselves'. This to me is grey-hat rationalizing/hand-washing. "It's not my fault that your security sucks. I just, you know, exploited it, harvested hundreds of thousands of emails, highlighted the most important executive and government official emails and released them in as public a manner as possible, potentially causing hundreds of thousands or even millions of dollars worth of economic damage and loss of reputation."

Sorry, to me a max 10 years is light, compared to the kinds of white-collar sentences we've seen for stuff like insider trading. They stole the data. They sat on it. They tried to release it in such a way as to cause harm, and the potential dollar-value risk for AT&T and all their employees was huge. Think of the massive hit RSA took when their data was stolen. It doesn't matter how "easy" the hack was: what matters is intent, action and effect. All three, to me, are clear-cut here. I don't see how weev could expect any different outcome.

link