It's really bothering me that all of the newspaper stories about this are defining this as a "hack". That has a very negative connotation and is coloring peoples' opinion about this case.
As far as I understand it, the data was publicly accessible and merely visiting the URL output the data he found. I don't view that as hacking.
No, not really. Even I don't support his arrest and imprisonment, but what he did was really a hack - He did something that normal people wouldn't do and extracted those emails. Of course, AT&T was assholish enough to have him convicted, but still, this guy was at wrong..He deserved a nice whack maybe, but 3 years of his life is too much to pay for. Heck, even rapists and murderers spend less than that, sometimes.
I'm harping on this word choice because most non-technical people do not understand what technical people mean when they say "hack", yet every newspaper article on this is using the word "hack" or "hacker" in the title and coloring peoples' perceptions about this case in a negative and unfair fashion.
If you use the word "hack" in front of normal people, they would probably view it as some neckbeard breaking passwords and bypassing electronic safeguards in a dangerous fashion. They would view it as equivalent to that scene from Mission Impossible where Tom Cruise is dangling from wires to break into the CIA or that scene in Terminator 2 where young John Connor gets easy money from the ATM. I use those popular references because that's what most people think is involved when you use the word "hack" when that's not the case here.
This case, if I understand it correctly, literally involved somebody visiting a URL. Whether he did so by typing it into his browser or using an automated program or not doesn't change the nature of the action to me.
I think the standard counter to this is that, if it can be reasonably assumed that you're not welcome to do it and if you're not being entrapped, then the ease with which a crime is committed should have no bearing on the severity of the crime. Stealing someone's car doesn't become moral if the person leaves the car unlocked and running, even if it "only" involves opening a car door and driving a car. I don't see why computer systems should be different.
However, breaking into someone's car in order to roll up their windows and leave them a note telling them not to do it is perfectly good in my book. So I think it's better when people focus more on the severity of the actual crime committed, rather than on the ease of committing it.
It's not stealing a car if you ask for it and they give it to you. That's what typing a URL into your browser is. Asking the server for info. AT&T could have easily programmed it to say "no".
The windows rolled down and the key in the ignition. Also note that you can see such a car and not steal it, but if you send a GET request to a server and it responds, you've already "stolen" the data. The mere act of looking at the car and seeing the windows down is criminal now.
So maybe the analogy works better like this: You're blind and walking around. Suddenly you get to some random car. Being a curious person you touch it to feel what kind of car it is and, in doing so, discover that the windows are rolled down. Reaching inside you also feel that the key is in the ignition. Then the question is, should you go to jail for attempting to steal the car (imagine that blind people are excellent drivers). You certainly did the exact same motions that a car thief would. Which are the exact same motions that a car enthusiast and curious person would do. The analogy breaks down about here, since the guy in the story copied the car by touching it, which we can't do yet.
If you accidentally find out you have access to someone else's private data that you aren't supposed to have access to, there is a big distinction between your next step being
I don't think you really mean that. If your bank were open to an XSS attack that "only" required crafting a particular URL to allow access sufficient to transfer funds, I don't think you'd be consoled that the "hack" that drained your account was, at heart, only a matter of visiting some URLs.
Obviously this "hack" was simpler, and AT&T's security was lousy. But the simplicity of an attack is not an excuse for mounting it.
I've written a lot of loops, and incremented a lot of numbers, and none of them have ever become properly escaped XSS exploits, or malformed YAML, etc. If your bar for "hack" is so low that we're training pre-schoolers to accomplish it, it may lack all descriptive power.
URLs are by design human readable and human editable. Simple discovered usage of these resources is not hacking, it is intended.
Imagine you're reading a story at example.com/stories/bears-part_1_of_3.html and just as it gets good, it's done. Without so much as a "The End".
Do you sit dumbfounded, or do you hack the bejeezus out of the website?
See how silly that sounds. So lets just say you "went to the next page".
>If your bank were open to an XSS attack that "only" required crafting a particular URL to allow access sufficient to transfer funds, I don't think you'd be consoled that the "hack" that drained your account was, at heart, only a matter of visiting some URLs.
But it's not the "hack" that you're worried about, it's the stealing. And stealing is separately illegal. Not all stealing is hacking just because a computer is involved, and something that isn't otherwise hacking shouldn't become hacking just because it involves theft or some other malicious activity that would itself be against the law.
URLs are meant to be explored by the user, hence the recommendation to use RESTful, semantic URLs. Granted, most users don't, but the spirit of URLs is to be manipulated by the end user; they are not opaque.
As simple as it was, the "squares" will always see this behavior as "hacking". Which is one of the many reasons why we should have much more specific laws than we have. The phrase "access to a computer" is so vague and vapid that it's useless for writing a just law.
Although I do think the sentence was ridiculous this is a good life lesson. When a man or group of men hold the fate of your life in their hands, take the moment seriously. Those smart comments will seem like a waste of time once you're behind bars trust me. Anyone that's been to jail can tell you only one thing - do anything you can in your power to avoid going there. At the point of sentencing the gears are in motion. Don't apply oil by being an open-mouthed fool.
Yes hes a terrible person. This news article should still be about AT&T being fined a bazillion dollars for not safeguarding that data (of course that never happened).
Any technical person of course understands that what AT&T did is akin to dumping money on the sidewalk, but you would never know from the cloud of uncertainty and ignorance that permeates these articles. We can't get more specific laws if the understanding of journalists can't rise above the word "hacking".
I have 2 emails: public, and semi-public. My public email is used to register for all sorts of things. My semi-public is only used to register for the most important things, and is posted on several internet profiles as a way to contact me.
At the very least, it is some of the least sensitive info a wireless carrier has about me. Leaking my call history, or worse location history, would cause me to take action against the carrier.
AT&T has a very important role in national defense to fill. This criminal is luckily he didn't get lined up and shot for treason.
Sure, we can say that AT&T is a telecommunications company that should try to protect the customers that pay for their service, but we all know that AT&T is actually a government intelligence agency with all the expected bureaucracy of a military sect. Protecting their customers is #1, and their customer is US Gov.
If AT&T gave a single fuck about its customers, Weev wouldn't have been able to access another user's account by incrementing a number in the URL.
If AT&T gave a fuck about its customers, they wouldn't have destroyed any chance of having a white hat point out security flaws to them in the future, before the black hats find them.
If AT&T gave a fuck about its customers, they wouldn't charge customers $20 a month for texting capabilities that cost them a nickel to provide, or $40 a month for $2 worth of bandwidth.
Should I continue? There are a million other reasons why your statement makes no sense whatsoever.
If they cared about customers, they would be open to criticism when security experts are ready to offer it behind closed doors.
While I may not necessarily agree with it, you're missing his point. Kind of like "if you're not paying for it you're not the customer", his argument is that because telecos handle communications from every organization and entity in the US, it's inevitable that they become a de facto intelligence agency for the federal government. (That is, their number one customer is their government interests.)
It's sort of a corollary to the idea that all of these convictions are intended to set the precedent that all Internet users are criminals.[0] If the primary purpose of telecos is to serve the US government, and the US government wants to criminalize Internet use, then it would make sense for them to serve "hackers" with hefty sentences in cooperation with the department of justice.
While I don't necessarely disagree with most of your content, a) it was not simply "incrementing a number in the URL" and b) you can hardly say someone is a whitehat if his goal is "to harass rich people".
While I can't speak for the rest of the parent comment, military personal do actively patrol the ATT longlines and other communications sites in the Bay Area. They have a bunker setup near the longlines station here.
That room is just the tip of the iceberg, fiber splitters are everywhere (literally) and guess what happens to oversea ISP's that think they are protected, they also get routed to the proper sniff boxes, or get covert ones installed. That big data warehouse in Utah should be nicknamed the funnel.
I'm not sure whether you are a literal ostrich with your head in the sand scratching on a keyboard, or if you're overpaid astroturfer who hasn't figured out how to use a chatbot yet.
As much as this guy deserves some kind of punishment for the horrible way he has treated people over the years, he doesn't deserve 4 years for being a class-a asshole to people. What he did wasn't a hack, heck he didn't even write the script that apparently scraped the data from the URL. A 12 year old kid with an introduction to PHP book could even write a PHP script that did what Weev did, it's not a hack it's a cheap exploit (I've done this with sites like Google & Yahoo for scraping search results before). AT&T are somewhat to blame for failing to protect the privacy of their customers in this instance, a company has a duty of responsibility to ensure it takes reasonable measures to protect customer data.
If I were the judge, I would have sentenced him to maybe 1 year (for releasing the info publicly), maybe made him serve 6 months of the sentence and given him a 3 year good behaviour bond with some conditions on getting some counselling for his obvious narcissism problem. The justice system really needs to get with the times, because these computer related hacking/cracking/exploiting incidents are only going to continue being a more common occurrence. The justice system is riddled with judges in their mid to late 60's who were raised in a non-Internet world and thus cannot truly understand the depth cases like these have or comprehend the extent as to how these defendants should be prosecuted.
Considering he used absolutely no violence against anyone, I don't think he deserves any violence to be used against him (including, obviously, imprisonment).
Why would you have that impression? The threat of violence is also the means of enforcement for civil law. If you don't comply with judicial orders, eventually the sheriff will come by and force you to.
IANAL but that is not true; they can only seize your property, and even then civil bankruptcy is still an option. You do not go to jail for violating a civil judgement.
That is an ideological libertarian viewpoint, where even taxes are considered as violence. Not useful.
There is a difference between going to jail for 4 years and just going bankrupt. The first you lose your freedom, the second you just lose your property but can at least keep living. Many people would never recover mentally from being incarcerated for 4 years, but many can recover from bankruptcy.
You're right, I only gave a half-answer. We do have lws against sedition [1]. Having grown up around UK common law, I carelessly linked to libel instead - it's called 'seditious libel' over there. But that's probably not what you meant when you referred to libel. I'm sorry for the confusion and for not reading the link I posted more carefully.
I don't much like him, and from my politics (generally left) I guess I'm supposed to be angry about the underprosecution of white-collar crime, but I don't see a great case for actually imprisoning him. I mostly take a view that imprisonment is a last resort to physically restrain people from harming society further, with alternatives being preferable, if at all possible. Is imprisonment really the last option available in Madoff's case? I think just banning him from investment-related jobs and imposing some kind of probationary oversight would be sufficient to keep him from reoffending. In addition, of course, to confiscating his wealth, plus perhaps taking some portion of his future earnings as restitution.
>"I think just banning him from investment-related jobs and imposing some kind of probationary oversight would be sufficient to keep him from reoffending."
Would the ban guarantee he could never re-offend, or would it just limit the scale of any potential future fraud?
Given the level of his past fraud and allegations of possible fraud going back as far as the 70s imprisonment doesn't sound inappropriate to me.
The problem is with the wealth he probably has hidden somewhere.
If not in prison, he would still be living a very rich life. He wouldn't need any job.
Madoff is the perfect example. Sure, on the surface his actions weren't violent, but I'd be surprised if someone didn't die as a result of his $60 billion theft. I'm not even talking about the suicides that probably occurred. Instead, imagine all of the people who lost everything and could no longer afford to take care of themselves properly.
Consider something like $10,000 over 10 years. Enough to notice, but it's not going to make a software engineer homeless. (I think that's too much in this case, but consider non-violent criminals in general.)
And in this manner, he could still keep a job and perhaps add value to society. Sending him to prison is a net loss for everyone, because of the cost to society of keeping him locked in a cage, and the difficulty of him finding employment following the prison sentence, in which case he might continue to drain on society. Prisons should serve to prevent violent people from inflicting harm upon others, and not strictly as a method of punishment.
To be fair, this is a threat of violence against his employer if they do not comply. Also, another way to look at it is forced taking, which is also violent.
Yes, but most employers err on the side of caution, reducing the likelihood of violence. There will never be no violence until every individual on Earth always acts in society's best interest without any persuasion whatsoever. I think we can all agree that's not going to happen ever, so in order to maintain order, we do need to threaten violence in the right circumstances.
Agreed. Your rationale and mine align, but are in opposition to the person I originally responded to, who suggested a blanked prohibition on violent punishment against non-violent offenders.
Do you get 10 traffic tickets a year? How much should we fine a 12 year old script kiddie if they were to do the same thing? AT&T is to blame here for not taking even the smallest measure to secure their data.
A minor? You can't fine a minor because they don't have income. You could fine their parents. I would suggest juvenile hall, maybe 1 week.
If we were to fine weev, for a crime that was otherwise punishable with jail, it should be done as a percentage of his income. 15% would be hurtful enough, I think.
Tons of americans are already swimming in well-intentioned debt that's far worse than the "punishment" suggested above.
The emails were never distributed except to Gawker, who did not publish them - just a redacted screenshot of a few dozen of the .mil and .gov ones with the username and second level domain part blacked out.
Absolutely ridiculous. From what I've read about "weev", he wasn't really the nicest guy on the 'net. I don't know specifics, but really, I don't think they matter.
Here we have a person accessing publicly available data on a public server. Its analogous to ATT posting customer information in a public alleyway (maybe not intended for public viewing, but within the legal possibility of the public to view), and having someone take a picture of the information.
No violence, no trespassing. Disseminating information left sitting around == Jail. This kind of crap needs to stop.
If those documents you take a photo of are "an email address" and posting it online is "giving it to a journalist who redacts information before taking a screenshot and doesn't release a dump of the data" then I would suggest that, while I wouldn't be too happy with you taking photos through my window, I wouldn't expect you to go to jail for it.
I'm amazed by the hoops people will jump through to protect this rat. He already admitted that his ultimate goal was to "harass and embarrass" "rich people".
I'm pretty indifferent towards him, he does seem like a moron and an asshole, but this is pretty much the first time I'm hearing anything about him (before I recall hearing "weev" and a few details about the AT&T stuff, nothing about who he is).
Him being an asshole doesn't mean he deserves jail time for what he did.
How about rather than deciding he deserves punishment because you don't like him, and then getting upset when anyone disagrees with you, judge his "crime" and decide whether it deserves jailtime. After that, feel free to separately to judge him as a person and decide you won't lose any sleep over his punishment.
I'm amazed how many people are willing to accept the possibility of this kind of treatment for themselves and everyone else, on the basis that weev is not a nice guy.
This is an irrelevant statement because taking photos of someone through their window is not a crime, the act of trespassing on their property to do so is.
So really the proper analogy is that if you've got your windows wide open and are dancing in front of them naked when some perv takes a photo from the road there's really not any legal recourse for you.
Different premise. The inside of my home is private, and you are not allowed to look or be inside without my permission. Not to mention, you are trespassing.
I'm afraid the message the DOJ is sending with this sort of thing (Aaron Swartz in mind as well) is "in for a penny, in for a pound". If you're going to do the hack, f#ck them up, because they're going to sentence you as if you had in any case.
95 comments
[ 2.8 ms ] story [ 149 ms ] threadLooks like every article on the net about it will get separate topic.
http://www.nytimes.com/2006/04/17/opinion/17mon2.html
As far as I understand it, the data was publicly accessible and merely visiting the URL output the data he found. I don't view that as hacking.
If you use the word "hack" in front of normal people, they would probably view it as some neckbeard breaking passwords and bypassing electronic safeguards in a dangerous fashion. They would view it as equivalent to that scene from Mission Impossible where Tom Cruise is dangling from wires to break into the CIA or that scene in Terminator 2 where young John Connor gets easy money from the ATM. I use those popular references because that's what most people think is involved when you use the word "hack" when that's not the case here.
This case, if I understand it correctly, literally involved somebody visiting a URL. Whether he did so by typing it into his browser or using an automated program or not doesn't change the nature of the action to me.
However, breaking into someone's car in order to roll up their windows and leave them a note telling them not to do it is perfectly good in my book. So I think it's better when people focus more on the severity of the actual crime committed, rather than on the ease of committing it.
So maybe the analogy works better like this: You're blind and walking around. Suddenly you get to some random car. Being a curious person you touch it to feel what kind of car it is and, in doing so, discover that the windows are rolled down. Reaching inside you also feel that the key is in the ignition. Then the question is, should you go to jail for attempting to steal the car (imagine that blind people are excellent drivers). You certainly did the exact same motions that a car thief would. Which are the exact same motions that a car enthusiast and curious person would do. The analogy breaks down about here, since the guy in the story copied the car by touching it, which we can't do yet.
1. walking away, maybe telling someone
2. sucking up as much private data as you can
Obviously this "hack" was simpler, and AT&T's security was lousy. But the simplicity of an attack is not an excuse for mounting it.
I've written a lot of loops, and incremented a lot of numbers, and none of them have ever become properly escaped XSS exploits, or malformed YAML, etc. If your bar for "hack" is so low that we're training pre-schoolers to accomplish it, it may lack all descriptive power.
URLs are by design human readable and human editable. Simple discovered usage of these resources is not hacking, it is intended.
Imagine you're reading a story at example.com/stories/bears-part_1_of_3.html and just as it gets good, it's done. Without so much as a "The End".
Do you sit dumbfounded, or do you hack the bejeezus out of the website?
See how silly that sounds. So lets just say you "went to the next page".
But it's not the "hack" that you're worried about, it's the stealing. And stealing is separately illegal. Not all stealing is hacking just because a computer is involved, and something that isn't otherwise hacking shouldn't become hacking just because it involves theft or some other malicious activity that would itself be against the law.
Knowing that, why not do it like he did?
Any technical person of course understands that what AT&T did is akin to dumping money on the sidewalk, but you would never know from the cloud of uncertainty and ignorance that permeates these articles. We can't get more specific laws if the understanding of journalists can't rise above the word "hacking".
The reasons why this statement is true would make for a very interesting investigation, methinks.
I have 2 emails: public, and semi-public. My public email is used to register for all sorts of things. My semi-public is only used to register for the most important things, and is posted on several internet profiles as a way to contact me.
Sure, we can say that AT&T is a telecommunications company that should try to protect the customers that pay for their service, but we all know that AT&T is actually a government intelligence agency with all the expected bureaucracy of a military sect. Protecting their customers is #1, and their customer is US Gov.
If AT&T gave a single fuck about its customers, Weev wouldn't have been able to access another user's account by incrementing a number in the URL.
If AT&T gave a fuck about its customers, they wouldn't have destroyed any chance of having a white hat point out security flaws to them in the future, before the black hats find them.
If AT&T gave a fuck about its customers, they wouldn't charge customers $20 a month for texting capabilities that cost them a nickel to provide, or $40 a month for $2 worth of bandwidth.
Should I continue? There are a million other reasons why your statement makes no sense whatsoever.
If they cared about customers, they would be open to criticism when security experts are ready to offer it behind closed doors.
It's sort of a corollary to the idea that all of these convictions are intended to set the precedent that all Internet users are criminals.[0] If the primary purpose of telecos is to serve the US government, and the US government wants to criminalize Internet use, then it would make sense for them to serve "hackers" with hefty sentences in cooperation with the department of justice.
[0]: https://news.ycombinator.com/item?id=5393561
Either that, or you're serious and also an idiot.
ATT is very much overseen by the US military/CIA.
http://www.amazon.com/Shadow-Factory-NSA-Eavesdropping-Ameri...
This book details some of the backroom agreements big telecoms have had for decades that "relieve" them of legal responsibility.
If I were the judge, I would have sentenced him to maybe 1 year (for releasing the info publicly), maybe made him serve 6 months of the sentence and given him a 3 year good behaviour bond with some conditions on getting some counselling for his obvious narcissism problem. The justice system really needs to get with the times, because these computer related hacking/cracking/exploiting incidents are only going to continue being a more common occurrence. The justice system is riddled with judges in their mid to late 60's who were raised in a non-Internet world and thus cannot truly understand the depth cases like these have or comprehend the extent as to how these defendants should be prosecuted.
Libel, I'm not sure, but I'm American so we have no such laws anyways.
DUI is interesting: its like randomly shooting into a crowd of people and just missing to hit someone.
http://www.law.cornell.edu/wex/libel
There is a difference between going to jail for 4 years and just going bankrupt. The first you lose your freedom, the second you just lose your property but can at least keep living. Many people would never recover mentally from being incarcerated for 4 years, but many can recover from bankruptcy.
1. http://www.law.cornell.edu/uscode/text/18/2385?quicktabs_8=1...
http://www.nolo.com/legal-encyclopedia/defamation-law-made-s...
Given the level of his past fraud and allegations of possible fraud going back as far as the 70s imprisonment doesn't sound inappropriate to me.
The problem is with the wealth he probably has hidden somewhere. If not in prison, he would still be living a very rich life. He wouldn't need any job.
Consider something like $10,000 over 10 years. Enough to notice, but it's not going to make a software engineer homeless. (I think that's too much in this case, but consider non-violent criminals in general.)
If we were to fine weev, for a crime that was otherwise punishable with jail, it should be done as a percentage of his income. 15% would be hurtful enough, I think.
Tons of americans are already swimming in well-intentioned debt that's far worse than the "punishment" suggested above.
The emails were never distributed except to Gawker, who did not publish them - just a redacted screenshot of a few dozen of the .mil and .gov ones with the username and second level domain part blacked out.
Here we have a person accessing publicly available data on a public server. Its analogous to ATT posting customer information in a public alleyway (maybe not intended for public viewing, but within the legal possibility of the public to view), and having someone take a picture of the information.
No violence, no trespassing. Disseminating information left sitting around == Jail. This kind of crap needs to stop.
Him being an asshole doesn't mean he deserves jail time for what he did.
How about rather than deciding he deserves punishment because you don't like him, and then getting upset when anyone disagrees with you, judge his "crime" and decide whether it deserves jailtime. After that, feel free to separately to judge him as a person and decide you won't lose any sleep over his punishment.
So really the proper analogy is that if you've got your windows wide open and are dancing in front of them naked when some perv takes a photo from the road there's really not any legal recourse for you.
The corporations and government can get away with what amounts to murder, yet this troll gets locked up for harming no one?
Where is the victim? Where is the harm?
Does the punishment fit the crime?