I wonder how he would be treated if he had picked up a stack of paper printouts an AT&T employee had left on a park bench and taken it to a news outlet in order to showcase AT&T's recklessness with customer information? Would Aaron Swartz's case have been handled the same way if he'd gone into a library and photocopied a whole heap of journal articles? The powers that be seem terrified that someone might use technology in a way which they can't control. Apart from the disgusting human rights abuse that these cases illustrate, I worry about the future when people like judges and prosecutors think it's at all fair or reasonable to put people in jail for freely accessing information.
It blows my mind that someone could get 10 years for idempotent operations on what was essentially a public API. Put in any other context than "scary computer hacking", it would be obvious to most people that the insecure system was at least as much to blame as this kid.
Firstly, the laws around this sort of thing are very stupid. But with that said...I'm not wholly sympathetic here.
The disclosure was totally botched. The IRC logs that came out during the case showed that Andrew and Dan (Spitler) talked about shorting AT&T stock (they ended up not doing this, but it's not the sort of thing you talk about), and going directly to news organisations, bypassing AT&T. They also considered (perhaps jokingly, but again, not something you joke about) selling the e-mail addresses to spammers.
Andrew also initially told Gawker he'd disclosed to AT&T, when in fact he hadn't (Ars has a good summary here[1]).
I am definitely not saying that a ten year sentence is warranted, or that any sort of custodial sentence is appropriate. In fact, I doubt he'll be given 10 years, more like 2-4 (since his fellow defendant, who plead guilty, got 12-18 months). But I do think the disclosure was handled really, really badly. I've found and disclosed very similar vulnerabilities - I would not leak the entire database out. That's just crazy.
Again, it's the old black/grey/white hat argument again. But to go public without even informing AT&T doesn't endear him to me.
To me, it's not a question of black/gray/white hat. This was as much a "hack" as grabbing a handful of business cards out of the free-lunch-for-your-office drawing bowl at Chipotle. Regardless of what nefarious purposes someone had for snatching those business cards, almost everyone would see it as ludicrous to suggest a 10 year sentence for the act of grabbing that unguarded data alone.
Even though this guy is no role model, it makes me deeply uneasy to see AT&T get away so easily with reframing their own incompetence as innocent victimization.
What would be wrong with shorting ATT and smearing them in the media for having shit security? Why wouldn't you talk about that?
The list was never made public.
I doubt they were joking when discussing selling the list, or spearphishing, or spamming it, or pastebinning it. Turns out, though, that that would have been harmful to innocent people - which is why it was not done.
There was no crime here. ATT said as much before the indictment.
LOL. If you mean literally nothing than no. But the war on poverty, war on drugs, and 3-strikes means the US justice system is handing out long sentences for black and hispanic males 3x the rate of white criminals.
In many countries simply accessing a public server without consent is illegal. Here in the UK the Computer Misuse Act contains the following gem:
> It is an offense to make a computer perform a function and for that function to be deemed unauthorised by the owner of that computer
This is fantastically broad. I believe it's similar in the US. It's led to convictions for things like directory traversal, XSS testing, and even people looking for vulnerabilities with good intentions. If you're doing stuff like this, be aware of the risk. Some companies are very good about it (Facebook, Google, etc). Others take a far dimmer, litigious view (AT&T?).
These are not laws that are taught in a civics class. I think it's important that until the laws can be changed (and they definitely should be changed) that people in this field know the risks, and weigh them up accordingly.
I agree with you that Andrew's approach is quite...antagonistic. I wouldn't, for example, go on the record saying I think "a sane society would lynch [...] Carmen Ortiz". Personally, I'm not in favour of public lynchings. This isn't going to endear you to the court, or to those who could help change the law for the better.
He doesn't come across as the smartest cookie by any means (making non-strategic comments to the media), though that shouldn't deprive anyone of fair justice.
This sucks. weev is an asshole and troll, but he's also a friend, and he hasn't done anything a lot of other people don't do routinely. I hope he gets a suspended sentence, but I think the 50/50 is he'll get ~3 years in total, served at least 1.5y in a federal prison.
"In 2010, Auernheimer and a compatriot, Daniel Spitler, discovered that visiting an unsecured AT&T Web server and entering a number associated with the customer's wireless account allowed him to obtain that customer's email address.
By altering the number and repeatedly querying the server, Auernheimer and Spitler were able to obtain hundreds of thousands of email addresses, which they then released to Gawker."
===
Amazing that something as simple as that landed him 10 years. This is something even I have done with some servers for telecoms in my country. And trust me, I'm no hacker. I just know basic HTTP GET request parameters, and what asshole doesn't know about those?
Testing car door handles in a full parking lot is amazingly simple too. Does that mean it's okay to look through any unlocked cars' glove compartments to collect personal information of the owners?
Auernheimer crossed a line. The punishment seems excessive, but then again I don't know all the details of what he tried to do with the data.
The fact that he obtusely refuses to recognize that he crossed a line doesn't exactly make me feel sorry for him.
You've missed my point. If you were in a parking lot and found your car to be unlocked, this might alarm you. You might try someone else's door to see if it's similarly unlocked, and just to be sure it's not a fluke, you might try another.
I'm not even going to try to adapt that to your rape scenario. I feel like there should be an equivalent of Godwin's law that I could appeal to in this context.
You paint far too innocent a picture of what happened. If we're going to use analogy, can't we make an effort to have it be accurate?
Let's roll with your scenario -- Do you systematically go through all the cars in the lot? Do you collect personal information from those cars, like names on the insurance? Do you get busted making on-the-record comments about exploiting the use of that data for your own personal gain?
Seriously, weev was hardly being a good samaritan. He was doing something he shouldn't have been doing, made some stupid/incriminating comments in a public forum, then didn't handle the data properly. Worst of all, he's facing serious jail time and is too obnoxious to even admit that what he did might have been inappropriate.
Personally, I'm all for living in a world where you can leave your car door unlocked and not be blamed when someone opens the door. Call it a Godwin-esque move if you want, but I'm just not into blaming victims.
It seems to that the real villain is AT&T, for making this private data entrusted to its care freely available to the public. What criminal and civil liabilities will it face?
That's disingenuous. "Freely available" implies that AT&T desired to give this data away or advertised it knowingly. Clearly they didn't.
What Auernheimer did, with intent, was to bypass AT&T's intended use of the system.
What AT&T did was incompetent or perhaps even negligent by a reasonable notion of corporate coding standards. You'd need to dig a bit more to learn how systemic the incompetence/negligence was before attempting to sign appropriate blame, though. Maybe some contractor got into the system and made the change that made that exploit possible the day before and deployed it without following AT&T release guidelines. I dunno. Knowing that kind of info matters, though.
Let's not twist the facts of what happened in order to justify different outcomes.
Disagreed. The facts are indeed that AT&T made this freely available... my definition of making something available is that it is readily available for the taking, whether I desired to give it away or not. If I leave my front door open due to negligence, I probably don't desire to be burglarized, but it is true to say that I have made my house contents freely available. If my house contents include a laptop full of people's private data, then I think it's reasonable I should face some penalties.
As to your other point, AT&T is responsible for the actions of its contractors as well as for its full-time employees.
For anyone with a little knowledge about locks and basic tools, no conventional door lock prevents entry. So by your logic, nearly all house contents are freely available.
Regarding AT&T, it's not a question of responsibility - it's a question of a level of fault that is negligent. At some level, it's your responsibility because you gave AT&T your data, right? At some level, it's your responsibility because you have an email address, right?
Without a detailed assessment of many factors, just throwing out there that AT&T is negligent seems to be fairly irresponsible.
Nah. If I give any website my email address, I have a reasonable expectation it won't be published on that website in a public manner ripe for harvesting. Unless of course the Ts&Cs I'm signing explicitly say it will (somewhere prominent, preferably in bold red with flashing letters).
Here is a very good lecture on the state of cyber crime law. I recommend it to everyone in this community. Things are crazier than you are probably aware.
i love weev and i had a blast trolling with him back in the day but he's nothing like swartz. the biggest split being that swartz had good intentions whereas weev was having fun.
i don't think he should be imprisoned for exploring at&t's god awful security but i also don't think he should be worshipped.
"Andrew Auernheimer, 26, of Fayetteville, Arkansas, was found guilty in federal court in New Jersey of one count of identity fraud and one count of conspiracy to access a computer without authorization." [1]
I just listed the charges, I didn't say I agreed with them. And I didn't say anything about AT&T.
It seems clear that AT&T failed to protect their customer's personal details. Whether that makes them criminally liable depends on US law, about which I know almost nothing. This [1] article seems to imply that it is fairly weak compared to European data protection laws, so it may be that AT&T did nothing wrong in a strict legal sense.
While its tempting to think that he was just made an example of for embarrassing a corporation, he did write a script to harvest 120,000 email addresses from the AT&T server. I'd say that constitutes criminal intent, even if he had no intention of using the addresses for a criminal purpose.
There are two problems here: 1. absent or weak data protection laws, and 2. disproportionate sentencing guidelines (up 10 years) for what in this case is basically a victimless crime.
"While its tempting to think that he was just made an example of for embarrassing a corporation, he did write a script to harvest 120,000 email addresses from the AT&T server. I'd say that constitutes criminal intent, even if he had no intention of using the addresses for a criminal purpose."
Criminal intent...to do what exactly? Email people? Was he planning to send them spam?
Why are we punishing someone who writes a script? Do we really want to live in a society where programming your own computer is a crime?
Intent to commit a criminal act: "conspiracy to access a computer without authorization". If he'd just accessed a few accounts then that could be attributed to user error or a technical fault, if anyone ever even noticed. Put what he did shows persistent intent to do something which is illegal in the US, even if he wasn't aware of the illegality.
Look, I agree with you. Jailing this guy is manifestly absurd, stupid, and cruel. I was just trying to explain who other people, who may hold differing opinions to you and I and happen to write the law, might see things. Doesn't mean I agree.
He was charged with conspiracy, so it's relevant that it was discussed. Conspiracy usually requires discussion of the intended crime, and then at least one party to commit an act that furthers that crime. It doesn't actually require the crime itself to be committed.
From what I read in another article there were various nasty and/or more clearly criminal things that he discussed/joked about doing although from what I understand he didn't actually follow through on them and they just released the information to journalists to make AT&T look bad.
When everyone is a criminal all the time, with selective enforcement, it makes it easier to tax and control. When political winds shift, you can eliminate anybody you want, because you just make an excel spreadsheet of political enemies and then forward it by email to law enforcement for increased survallence, and whamo, felony convictions, how much you want? 1 year? 5 years? 10 years?
The government is just trying to maintain its power over the people, when federal reserve realizes there is no other alternative except to default on the US treasury, there is going to be a lot of unrest, and the internet will be a focus point of governmental rebellion, it's important everyone who accesses the internet is a felon. Especially the coders, like this one, who will be making the rebellion possible.
You got to put the fear in them. We may be the ones, like our founding fathers, who have to write up a new constitution, bill of rights, and spawn a new nation to break away from the defective one. Like the good men of old time broke away from Britain. The battlefield this time around will not be on the shores of Boston, the battlefield will be software, servers, clicks, and smart phones.
As with all battlefields, the side who wins is the one who prepares the most. This is why we are cracking down on website clicking by programmers, rather than cracking down on governmental corruption.
I guess you must live in China. Here where I live, the government is made up of ordinary people who are also subject to the law, and we can vote to change the law whenever and however we want.
Reality is too complex to fit into a narrative. Our system manages to be both corrupt and democratic at the same time, with money, fame and influence all helping to distort outcomes, both on behalf of private interests and We The People.
There is corruption in pretty much any system without a complete and total police state. Most western democracies are highly imperfect. But they're a lot better than pretty much anything else that has been tried, and if people work hard, they can continue to improve them.
Hard work means "getting out of the building" though.
Where I live, the people are too apathetic and uninformed to care, and they just keep voting for the same right-wing politicians in election after election. I live in a country with an order of magnitude more prisoners than any other, where there are so many laws on the books that the government itself cannot even keep track of them all.
The UK, but my answer would equally well apply to the US or the majority of democratic nations. There's not a Big Conspiracy. There's just lots of people, often stupid and ill-informed, but nevertheless people voting for what we want.
Firstly, it is possible to go out and inform people. Best to get off HN and out of the house, because only a tiny number of pretty intelligent people use HN and all of us have similar backgrounds and beliefs.
Secondly, although I think HN-readers would make great voters on subjects we care about, eg. how the Internet should be regulated, yet I'm sure we'd be mostly stupid and ill-informed about things that we don't know or care about, eg. farming regulations, or sickness benefits for elderly mentally-ill patients, or a thousand other specialized subjects.
It's not a conspiracy but the effect is just the same. Selective enforcement of laws that make everyone a criminal allows people in positions of power to target anyone they wish. This is made worse in countries where penalties are very severe, like the US.
I wasn't saying certain people should not be held accountable to certain laws I'm just pointing out the major theme of the phenomenon taking place here. As programmers we are a tremendous emerging power and it feels like programmers are being discriminated against from the U.S. much more so than say an Exec at AIG. Perhaps the programmer should be prosecuted, to uphold justice, to make an example to all programmers that you better watch-out before you go making a copy of some document you find laying on the ground while taking a walk in the park. Don't copy that floppy, you could go to jail for 10 years.
What the fuck is "the established ruling system" besides a representative democracy, if we're talking about the US, at least?
Sounds like one of those trite propaganda-esque phrases that don't really mean anything.
Government in the US is far from perfect, but it's not some big conspiracy theory either.
If you want to see a real rebellion, look at Syria. It's people shooting each other with guns to take and hold territory, not some dipshit who finds an inept megacorp's trowsers down and grabs the data he finds and then crows about it.