[meowface]

First of all, the company could definitely be sued for negligence in the US. Not sure if they could in the UK.

Second, there are not that many similarities between this research and weev's research. In this case, the researcher created 2 accounts which he had control over, then read data from both of the accounts despite not authenticating to either of them. He did not access any other customer's information (or at least he's suggesting he didn't).

Weev on the other hand scraped private information for over 100,000 customers and shared it with friends and reporters.

Both technically violated the CFAA, but weev's offense is a much greater violation of customer privacy, while this researcher has not violated anyone's privacy.

I still don't think weev should have gotten any jail time, but you're making an unfair comparison.

[richardwhiuk]

Personally (and I know this is likely to be an unpopular sentiment on HN) I have very little sympathy for weev.

He knowingly and deliberately attack a weakness he had found to scrape data, knowing that the access was unauthorized. I disagree that the data was in the public domain (although the Third Circuit disagrees) - just because something is accessible to the public doesn't mean it's in the public domain.

Just because he wrote it up as a security researcher doesn't mean he should be immune for his actions - in fact in some ways it makes it worse because he did it knowing that he was unauthorized.

He exposed the vulnerability to the press (so he didn't act in good faith regarding the disclosue) and he did so potentially for monetary gain (he claimed to be a member of a hacker group called “the organization,” making $10 million annually).

I think one part of improving cyber security is prosecuting people who deliberately and maliciously hack into other systems who do so for either monetary gain or fame. I think this is especially the case whereby they don't act in good faith (e.g. providing proper disclosure).

[cloakandswagger]

>I think one part of improving cyber security is prosecuting people who deliberately and maliciously hack into other systems who do so for either monetary gain or fame.

This would do nothing except cast a chilling effect over the security community. Everyone would sit on exploits, too afraid of overzealous prosecutors to publish them or even reach out to the affected parties.

Unless, of course, you believe the US justice system to be the paragon of restraint and reasonableness.

[richardwhiuk]

No, it would be better if responsible disclosure was codified in the CFA. That's worthy of a campaign - but weev didn't practice that, so he's a poor figurehead for such a campaign.

Such a protection could provide an equal level of footing with the DMCA (i.e. you aren't liable for malicious attacks on a computer company if you provide full disclosue and advance notice, in the same way YouTube isn't liable for hosting copyrighted content if they provide a takedown mechanism).

[CHY872]

Doubt it's as unpopular as you think.

[richardwhiuk]

Apparently - probably because of a silent majority instead of a vocal minority.

[geographomics]

I agree, and feel that the EFF made quite the strategic error in supporting Auernheimer's appeal.

[sp332]

Weev should probably be in jail for several reasons. Just not the specific reason they sent him to jail for. The EFF had to fight because the conviction set a really bad precedent for other research.

[teddyh]

“The trouble with fighting for human freedom is that one spends most of one’s time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all.”

— H. L. Mencken

[throwawaykf05]

> "For it is against scoundrels that oppressive laws are first aimed..."

[Citation Needed]

[steakejjs]

I honestly don't think it is unfair. "Both technically violated the CFAA" is an important sentence.

The legal system is very complicated and sometimes small details make very big differences in cases. I'm not convinced others in the legal system would see this as different

[gknoy]

I don't think that the author violated the CFAA, though: in both cases, he was acting on behalf of his users that he had created in the system -- the same requests he would normally make when using those accounts. ("BobAtHome", "BobAtWork" could concievably be two accounts for Bob.) That seems substantially different than what Weev did, which was try to read ${Everyone}'s data.

[meowface]

Moonpig.com is not an application you run on your own computer, though, it's a service operated and hosted by Moonpig. Any tampering with that application in a way that's not intended is a violation of the CFAA.

As you and I have essentially both just said, it's very unlikely there would be any prosecution due to the facts and the researcher's intentions, but I think it is still a technical violation. Paraphrasing, but the first line of the CFAA is "having knowingly accessed a computer without authorization or exceeding authorized access" (that line is explicitly for access that could jeopardize national security, but it goes on to set similar limits for general unauthorized access of any entity).

In this case it is not necessarily unauthorized access of a customer's account, but unauthorized access to a component of Moonpig's system.

[richardwhiuk]

That's difficult to argue given the app underlying it knowingly makes these requests.

It's arguable that he could be reverse engineering the API to make a compatible client - I think that should be legal, although IANAL.

[meowface]

The CFAA is a very broad statute, but the US legal system still does focus heavily on intent both for charging and sentencing, as well as deciding whether to charge at all. Even if in theory 2 people are convicted under the exact same law, they could get drastically different sentences based on how the judge perceives the defendant's intent.

In this case there's almost no chance law enforcement would charge the researcher unless Moonpig decided to press charges. And even then, they may decide not to charge due to the facts of the case (though of course they legally can).