[Encosia]

It blows my mind that someone could get 10 years for idempotent operations on what was essentially a public API. Put in any other context than "scary computer hacking", it would be obvious to most people that the insecure system was at least as much to blame as this kid.

[objclxt]

Firstly, the laws around this sort of thing are very stupid. But with that said...I'm not wholly sympathetic here.

The disclosure was totally botched. The IRC logs that came out during the case showed that Andrew and Dan (Spitler) talked about shorting AT&T stock (they ended up not doing this, but it's not the sort of thing you talk about), and going directly to news organisations, bypassing AT&T. They also considered (perhaps jokingly, but again, not something you joke about) selling the e-mail addresses to spammers.

Andrew also initially told Gawker he'd disclosed to AT&T, when in fact he hadn't (Ars has a good summary here[1]).

I am definitely not saying that a ten year sentence is warranted, or that any sort of custodial sentence is appropriate. In fact, I doubt he'll be given 10 years, more like 2-4 (since his fellow defendant, who plead guilty, got 12-18 months). But I do think the disclosure was handled really, really badly. I've found and disclosed very similar vulnerabilities - I would not leak the entire database out. That's just crazy.

Again, it's the old black/grey/white hat argument again. But to go public without even informing AT&T doesn't endear him to me.

[1]: http://arstechnica.com/apple/2011/01/goatse-security-trolls-...

[Encosia]

To me, it's not a question of black/gray/white hat. This was as much a "hack" as grabbing a handful of business cards out of the free-lunch-for-your-office drawing bowl at Chipotle. Regardless of what nefarious purposes someone had for snatching those business cards, almost everyone would see it as ludicrous to suggest a 10 year sentence for the act of grabbing that unguarded data alone.

Even though this guy is no role model, it makes me deeply uneasy to see AT&T get away so easily with reframing their own incompetence as innocent victimization.

[sneak]

What would be wrong with shorting ATT and smearing them in the media for having shit security? Why wouldn't you talk about that?

The list was never made public.

I doubt they were joking when discussing selling the list, or spearphishing, or spamming it, or pastebinning it. Turns out, though, that that would have been harmful to innocent people - which is why it was not done.

There was no crime here. ATT said as much before the indictment.

[edem]

I totally agree with you. They don't hand out 10 years for nothing. It is a little harsh though.

[yardie]

They don't hand out 10 years for nothing.

LOL. If you mean literally nothing than no. But the war on poverty, war on drugs, and 3-strikes means the US justice system is handing out long sentences for black and hispanic males 3x the rate of white criminals.