back to article Weev gets 41 months in prison for exposing iPad strokers' privates

Andrew Auernheimer, a member of the grey-hat hacking collective Goatse Security, has been sent down for three years and five months in the slammer after he helped leak users' private email addresses via a flaw in AT&T's servers. Auernheimer, known online as Weev, received his sentence wearing shackles after he tried to bring a …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

If you tried the same trick on someone's front door you wouldn't be able to use the excuse that you were doing security research.

The servers aren't his property, therefore he is not allowed to play around with them, simple as that.

If you want to hack hardware and software then make sure it is your own!

15
39
Anonymous Coward

God you're stupid. Comparing it to a front door is a childish attempt at misdirection.

If nobody performed these kinds of investigations then the only people doing it would be criminals, and guess what, people stealing your details for profit aren't going to tell anybody about the flaw (except maybe other criminals for a tidy profit). Also telling the company responsible for the flaw rarely gets you anywhere (particularly if it's a big company) apart from occasionally a gagging order or prison.

No this person did one thing wrong, and that was embarrass big business.

41
14
Joke

Aslong as you dont distribute the code and its not a Sony Playstation!

1
1

Except...

A real "good guy" hacker would find the exploit and demonstrate it - without grabbing all of that data and handing it over to someone else.

Likewise, someone who knew how to pick a lock wouldn't break into the house and rummage through the belongings of the people inside - he'd go to the manufacturer and show them how he did it, or wait and demonstrate the flaw at a conference.

That "companies won't respond" line is pretty much false - it's an excuse given by hackers when they get caught doing something stupid. Usually, it's a lazy but egotistical hacker-wannabe who wants to make the headlines, but doesn't want to bother with actually calling the persons who are responsible for said security flaws. "I contacted the company" usually boils down to "I called their PR department, and they told me it was the wrong number."

21
4
Silver badge

If he did try it on some ones front door, and even helped him self to a TV, and some how the cops bothered to look for him I don't think he would be spending any time in jail.

His other fault was not kissing the Judges arse.

19
6
Anonymous Coward

Not stupid - the law is the law.

@ anon 18/3 @18:56

If nobody performed these kinds of investigations then the only people doing it would be criminals, and guess what, people stealing your details for profit aren't going to tell anybody about the flaw (except maybe other criminals for a tidy profit). Also telling the company responsible for the flaw rarely gets you anywhere (particularly if it's a big company) apart from occasionally a gagging order or prison.

Nope. "These kind of investigations" can be performed without immediate disclosure of personal information. Even if he downloaded data, he could have kept that confidential and use responsible disclosure to make AT&T aware of the issue, with a time clause to get their rear ends in gear but again without disclosure of personal details.

I was once asked to verify if information protection was in place in a location which I am not allowed to name. When I found a route in, I had my big boss tell me I should copy a document from that service as proof. I told him that I was happy to show an authorised member of staff what to do and grab the data, but there was NO WAY I would touch a document myself. If, by any chance, information leaked about the data that I had copied, guess who would be suspected first? Not a chance.

In my experience, teaching beginners about security properly rarely involves teaching them technical things - that inclination tends to come with the package. Making them think about consequences is FAR more important.

Was the sentence appropriate? No, but if you piss people off by not giving them a chance, you risk that they throw the book at you. This is the point where you realise that people matter..

13
2
Bronze badge

God you're stupid to make the remark "God you're stupid".

As it is, the only people doing it are criminals. Did you not read the article? Do you not understand the law?

You could make the same lame "if we didn't do it only criminals would be doing argument' with front doors of homes too, it would be equally invalid.

2
8
Silver badge
Meh

The justice system

Needs to be updated from 1.0 to 101.9.

0
0
Mushroom

And you're a fuckwit for saying "God you're stupid to make the remark "God you're stupid"." and the rest of the pish you wrote.

"As it is, the only people doing it are criminals" - what bloody planet are you living on, you moron.

My initial thought was I hope you don't end up in a situation where you end up jail for something that caused NO damage, NO financial loss (other than paying coders to fix the sloppily installed server) and he sought NO financial gain but then I thought "you know what it might be the wake up call WatAWorld needs"

4
4
Anonymous Coward

I hope you don't end up in a situation where you end up jail for something that caused NO damage, NO financial loss (other than paying coders to fix the sloppily installed server) and he sought NO financial gain

Chris, that isn't the problem. Those facts may act as mitigation to lower a sentence, but the bottom line is that a law was broken, and someone got punished for it. The guy got convicted exactly because there are other ways to do this, and he didn't even try any of those alternatives.

Was the sentence excessive? In my opinion, yes, but those are the dice you roll when you break the law. He didn't exactly help himself by not showing remorse either (which no doubt contributed to the sentence).

5
0
Bronze badge
Thumb Down

@ AC (18:56) - Re :

Wrote :- "If nobody performed these kinds of investigations then the only people doing it would be criminals"

Weev is a criminal. For future reference, a "criminal" is someone who commits a crime

3
1
Pint

Re: @ AC (18:56) - Re :

" For future reference, a "criminal" is someone who commits a crime"

True, but not relevant. People are clearly using the term "criminal" here to mean "someone who deserves to be convicted" instead of "someone who *was* convicted." While not strictly correct, the rest of the pedants (and I include myself in this group) seem to be coping just fine. I find that beer helps.

2
0
FAIL

Re: @ AC (18:56) - Re :

not quite: a "criminal" is someone who gets afoul of penal law, i.e. commits a deed that the state deems harmful enough to society to commit public funds to prosecute it and punish it with a jail sentence.

In this case, please demonstrate the harm to society. There does not seem to be any, actually, there is a benefit in the flaw being promptly fixed by AT&T.

The fact that there is a penal law that allowed this conviction just means that the law-making system is corrupt enough for such a law to exist. This law is an aberration so upholding it to quai-religious standards with statements such as "the law is the law" is pretty short-sighted.

But well, with the Supreme Court declaring that bribing a politician (election money) is "free speech" and protected by the first amendment, you guys are in big trouble.

0
0
Bronze badge

"If you tried the same trick on someone's front door you wouldn't be able to use the excuse that you were doing security research."

That was the point I was going to make. If my front door has a cheap lock, that doesn't mean a random stranger may pick the long and toss my home.

If you want to hack hardware and software, but don't want to hack your own, get a contract with the owner. You'll turn a nice profit and hack to your heart's content.

0
0

This post has been deleted by a moderator

Anonymous Coward

Importance

... or lack thereof: Auernheimer will find out how little of it he has, very soon now. The only importance he has is self-importance.

5
5
Silver badge
Devil

Showing no contrition

If there is one thing that the justice system hates, it is criminals who don't make at least a show of regretting what they have done. It is a bit like declaring at the customs that your job is smuggling. I bet the sentence would have been way more reasonable if he had "treated them with respect".

7
0

Contrition is a religious concept,

and one easily mimed, for which there should be no consideration in a rational and fair legal proceeding.

What you are really referring to is the practice of pandering to the sentencing Judge's pampered sense of sadism by engaging in a (generally lawyer-advised) ritual bout of 'voluntary' self-abasement taking the form of grovelling apologies and abject pleas of misericordia. Those who are innocent or proud refuse to engage in this extra-judicial public auto-flagellation and so are otherwise punished with a more severe sentence within the (corrupt) Judge's 'discretion'. Those who do, get the sentence already decided upon - i.e. gain no benefit from the humiliation.

Another weighty factor here are the desired political effects, of which I can see two:

1. The lower classes must (re)learn that their place is toiling in silence, not embarrassing OverLords with disclosures about their vulnerabilities or crimes - lulz, satire or free speech against the ruling mafia will be severely punished.

2. Hackers must learn to tremble in pre-emptive fear of the Pentagovernment, and quietly render any discovered 0-Days to the CyberOffence Command for Droit-de-Seigneur-style exploitation against the fabricated enemies-du-jour, both foreign and domestic.

Of course, for the morose US legal body, in which the highest value is the perpetual impunity of State warcriminals and torturers, this kind of savage result is achieved during coffee breaks, hardly even counting as in the day's work.

So, au contraire - it's a filthy, rotten Injustice System, which earns no respect but rather an immeasurable contempt.

Free All Political Prisoners, Free Weev!

18
5
Silver badge

Re: Contrition is a religious concept,

I think you don't get it. The point of the justice system is to get people to act legally. There were plenty of ways to report the flaw without sending private user data to the press. It was even possible to publicly embarrass the company by revealing the flaw without actually leaking private user data. So Weev broke the law without any proper justification, not even that of being a whistleblower. Satire is protected free speech, but lulz is not.

In that case, the job of the justice system is to first, point out that this is illegal, and second, to deter people from doing it. When the accused is proudly admitting breaking the law and claiming it is the right thing to do, the justice system has to make it especially clear that no, it is not. And the more the accused insists on advertising his claims, the harsher the justice system has to be.

It is not about forced humiliation. Here, just shutting up would have been preferable.

3
5

"The point of the justice system is to get people to act legally"

That's the kind of touchingly infantile political naiveté so essential to the class of people who design and use that system to subdue the masses into acquiescence, allowing their injustice to continue unhindered. Well done!

Your practically religious resistance to reality would be admirable, if it did not have such severe consequences.

Check this and see if you still agree with yourself:

http://www.freegarytyler.com/writings/isr.html

3
3
Anonymous Coward

Re: "The point of the justice system is to get people to act legally"

"That's the kind of touchingly infantile political naiveté so essential to the class of people who design and use that system to subdue the masses into acquiescence, allowing their injustice to continue unhindered."

Yes, like a telephone company who store people's email.

FIGHT THE POWER!

DOWN WITH TELEPHONE COMPANIES WHO SUPPLY EMAIL TO IPADS AND ALL THEIR DESPOTIC SYSTEMS OF INJUSTICE THAT SUBDUE THE MASSES INTO ACQUIESENCE!

etc etc, till you turn 14 years old

1
3
Anonymous Coward

Re: "The point of the justice system is to get people to act legally"

Hahaha. HahahaHAAAAhahaha hihi hahahahahah HAHAHAHA. Sorry, haha, let me catch my breath, hahahaha. Hah. Hihihi. So someone gets a few years in the slammer because he behaved like an idiot, and you compare this to a death row situation? Seriously?

The evidence was very clear and simple, no doubts there. Secondly, he had plenty of opportunity to follow legal routes to make this problem known, he chose not to. Thirdly, he didn't even have the brains to even *pretend* to have remorse at his trial, so they threw the book at him. Don't you think your reference may just be a teeny weeny bit irrelevant and OTT? No?

As for the rest of your rant, the law is there to enable a livable society. Your contract to derive rights from participation in that society is contingent on making an effort to follow the law and the obligations a society imposes on you. If you break the law, you harm the rights of others which can lead to punishment. Granted, that system could be improved but the principles are there. If you don't like those obligations and laws (aka rules), in most societies you also have the right to leave.

A couple of years in less enlightened sections of the planet may prove educational anyway.

0
0
Silver badge
Linux

Re: Contrition is a religious concept,

No. You're just kidding yourself. You're assuming that the corporation will act in good faith when that is the least likely thing to happen. Even multiple public shamings and large jury awards don't always encourage corporations to do the right thing. Assuming that they would mend their ways because of a polite little note is absurd bordering on being a diagnosable psychological disorder.

Despite his other conduct, exposing this to the world was a valuable public service. We would never have known otherwise and AT&T would never have any motivation to clean up their act.

4
0
Anonymous Coward

Re: Contrition is a religious concept,

Believe it or not, companies don't actually want to expose their customers personal information to the internet. There's laws against them knowingly doing it etc. Data protection law etc. Naming and shaming publicly really isn't in anyone's interest. I know, as I've worked on these things, with these companies. They're not overly keen on going to jail, like most people.

But you crack on, publishing individuals personal details on the net is the only way to achieve change.

0
0

derp derp

If you don't like it, stay the hell out of our country. We are happy to let our corporate overlords rule us to death with impunity, and we would greatly appreciate it if that annoying constitution didn't make such a racket when being flushed down the toilet so often.

Already, we're having people that believe that our government is still held accountable by its people.

Join me, fellow citizens of the State, in bowing down to worship our overlords--both corporate and the oligarchy that is our government--in this momentous great day. A day in which a criminal has met his karmic punishment at the hands of the very tools he used to commit great crimes. The first letter in each line in this comment should accurately describe our judicial system.

23
4
Bronze badge
WTF?

Re: Idrajokl????

Your formatting or my lack of understanding?

0
0
Silver badge

Re: Idrajokl????

It's a puzzle. HTML wraps unless you use /pre or line breaks (/br). In this case I get IwbAJtta at my usual 120% and IdrAJopc at 100%.

0
0
Trollface

Re: Idrajokl????

Hmm. Let's see, either I can blame myself for not taking the screen size/format settings of others into consideration, or I can blame others for not being able to see it properly. Hmmm...

Perhaps a screenshot will do for those of you who use a browser that refuses to follow basic web standards:

http://i.imgur.com/NHBiGMm.png

1
0
Silver badge

I don't get the $72,000 restitution to AT&T. Is this what it cost them to fix their own shoddy code? Certainly AT&T haven't suffered anything other than a little arse ache which they rightly deserve.

Granted, he could have been a bit less smug about it but he might have seen the writing on the wall over the course of the trial by paying attention to the judges reactions. Judges like to appear unbiased but most every time I've done jury duty it's been pretty clear what the judge's opinion was by the second day.

10
1
Silver badge

I don't get the $72,000 restitution to AT&T. Is this what it cost them to fix their own shoddy code?

More likely it's what it cost them to notify their affected customers and deal with hacks related to the breach of information (possibly x3 as that's a popular punitive proportion.)

1
1
C-N
Trollface

A Great Way to Finance Your Business

1. Build shabby website.

2. Wait for inevitable "hacking" attempt. (could simply be a frustrated sustomer, who cares)

3. Get gov't to prosecute & sue for restitution

4. Use restitution to hire engin^H^H^H^H more marketing!

10
1
Facepalm

Freedom of the Internet? In your mind, chum

"...The Internet is bigger than any law can contain...." This is a common misunderstanding of what the Internet is. Internet means "Internetwork" - it consists of dozens of corporate networks plugged together with a common comms protocol.

I've worked on Internet development projects since the 90s and am constantly amazed by the naive drivel that passes for expertise today.

If the network administrators of those cooperating networks decided to block any traffic that neither originated from nor was destined for their own users, ie their networks became private again, then your precious Internet would disappear overnight. You'd be back with the CompuServe model again, ie, the only services available would those provided by, or approved by your ISP.

Same if "The Law" made those network administrators responsible for the porn, trash, hackers, spam, pirated music, films, and software that crosses their networks. Dozens of corporate networks would become private again overnight and bang goes the Internet. Don't think it hasn't been discussed. Don't think it can't be done.

8
4
FAIL

Re: Freedom of the Internet? In your mind, chum

So have I, what a load of old guf you're spouting, closed networks = less money, therefore we will not see a return to AOL or CompuServe.

However, Fecalbook would certainly like to see a hybrid model of their users and other companies paying for the network, while they extract all the cash.

4
2

Big People

And yet again the US judiciary and public attorneys so that they are not interested in the safety of the plebs who use the net...but only the big boys.

These stories do nothing but reinforce my reticence to ever go back to the US...

5
2
Anonymous Coward

Re: Big People

Actually this shows that at least one person in the US Justice Department cares about the little guy.

You can't have people going around tossing rocks through windows 50,000 at a time in order to demonstrate that glass windows are insecure and getting away with it.

The, "If I didn't throw rocks through windows only crooks would through rocks through windows" argument just does not hold water.

2
3
Pint

Re: Big People

Firstly I feel I need to apologise for the above horror show of a post. Not in terms of spelling mistakes but rather missing entire letters out! Not good.

I also failed to be clear what my actual objection was.

The length of the jail sentence is far too extreme for the level of the "crime". Given that the data was available on a open web server. Rather than censuring AT&T for lax security the judge and prosecutors went after the security researcher. Not that he is entirely innocent...but at most he's guilty of foolishly not thinking through how to report his findings in a more...professional manner.

The only reason the guy was sentenced to a ridiculously long amount of time, and fined to boot, was because he made AT&T look foolish, and had emails of people in positions of influence and power. If all those emails had been ordinary folk I bet you he'd have never been sentenced to such a long time in prison.

Of course this is only my opinion and I could well be wrong and you would be right in presuming that I am typing this in a ranty rage. However it is quite clear that when it comes to computer "crimes" the US does tend to take things to an extreme...it either being driven by prosecutors wanting to make a name for themselves (and judges) or powerful people able to hire suits that the defendant just does not have the resources to compete against.

Pint coz well ranty rages are a thirsty business, right? ;)

11
0
Gold badge

Re: Big People

Firstly I feel I need to apologise for the above horror show of a post. Not in terms of spelling mistakes but rather missing entire letters out! Not good.

Hey, happens to me too. Not a problem :)

The only reason the guy was sentenced to a ridiculously long amount of time, and fined to boot, was because he made AT&T look foolish, and had emails of people in positions of influence and power. If all those emails had been ordinary folk I bet you he'd have never been sentenced to such a long time in prison.

I think it probably had more to do with the fact that the judge couldn't really see any remorse for his activity. The idea of a punishment is to prevent a repeat or correct behaviour. If the accused has already spotted where they screwed up (or can act convincingly, let's be realistic), the sentence needs not to be that harsh to ensure lawful behaviour.

If the accused doesn't show remorse, the sentence gets harsher because it still has to be made clear to the defendant that what they did was A Really Bad Idea, and because leniency could otherwise encourage other idiots to act in the same way. IMHO, the situation is aggravated by the fact that US works on precedent - if this guy had been able to walk off with a short holiday it would have set precedent for similar cases.

I'm not entirely clear what the AT&T restitution was for, though.

0
0
Silver badge

Re: Big People

" If the accused has already spotted where they screwed up (or can act convincingly, let's be realistic), the sentence needs not to be that harsh to ensure lawful behaviour."

So from your parentheses, you accept that the contrition bit is just theatre? Certainly appears to be standard in the local rag "before the magistrates", where week after week repeat offenders get lighter sentences by bleating on about how sorry they are, how they suffered exceptional misfortune themselves, and promise upon their mother's soul to go straight as soon as they are free.

If the judges are sufficiently daft to go along with this nonsense, then perhaps the pols need to set tarrifs themselves, and abolish judges discretion in sentencing.

0
0

Re: Big People

@ Mr Flintstone

Whew! I'm not the only one! I've been leaving out entire words recently...must lay off the pints ;)

It's not easy to show remorse for something that really wasn't bad as such. He should have tempered his language though. Either way though it is still an entirely over the top sentence. Ultimately the only thing he really did wrong was going about his research the wrong way...and ending up in a court with a judge who is not tech savvy to the extent that the intricacies of this kind of work is understood.

I reckon the AT&T fine was just putting the boot in for the hell of it.

0
0

This post has been deleted by a moderator

Bronze badge

Re: computer crimes

He did not make a political protest, he did not create a work of art, he posted people's personal data.

What he did has about as much to do with freedom of speech as, for example, not picking up his dog's poop in the park or raping a woman.

2
9
Anonymous Coward

Re: computer crimes

Yes its being punished too heavily. What it means in practise is that people who find an exploit now know they keep stumm about it---just as people I knew working for a large corporate in the 90's did---or use it from criminal purposes. What not to do is publish it or brag about it. I saw people get in trouble for revealing back doors, or being suspected as a `hacker'. I even kept my crack scripts in zombie accounts!

1
0
Flame

Re: computer crimes

You again...ffs will you take the time to do some research and ** try ** to the understand the points that the post you replied to was making.

Not sure what your problem is but you have a seriously deluded view of the world.

0
0
FAIL

Re: computer crimes @WatAWorld

Because we put people in prison for 3 years for not picking up dog poop? Because altering a URL and then creating an automated script is a crime on par with forcing yourself upon a woman and subjecting her to a despicable assault such as rape?

People who think like you are the reason this world is so f**ked up.

5
1
Vic
Silver badge

Re: computer crimes

> not picking up his dog's poop in the park or raping a woman.

I wish I had more than one downvote to assign...

Vic.

0
0
Bronze badge

Redaction...?

Based on this one article, it sounds like he didn't redact any of the customers' information before sending the data to Gawker to publish. That's making a lot of third parties pay in aggravation (and the possibility of identity theft, etc.) for their ISP's failure. Frankly, AT&T's embarrassment is of zero importance to me -- punishing users for their choice of connectivity vendor strikes me as being more than a bit of a dick.

He could have -- relatively easily, I'm sure -- redacted the information in such a way that Gawker or some other news outlet could have presented it to ATT, asking for confirmation that it was theirs and asking if they were aware of the flaw in their security, without leaving the users hanging in the wind.

Also, there is no mention of how LONG he waited for ATT to fix the flaw before going past them for the publicity Three days...? A week...? Three months...? This has bearing, I think, on whether his actual goal was giving ATT a genuinely reasonable amount of time to verify the problem, fix the code, test the fix, and roll it out, or whether it was just to cover his ass with the "Well, I TOLD them and they did NOTHING so I HA-A-A-A-AD to go over their heads" defense.

6
0
Anonymous Coward

Re: Redaction...?

I used to use the name gawker on irc a long time ago, hope they don't get confused and arrest me!

0
0
Windows

Idiot!

Why didn't he create a couple of his OWN accounts, then try to cack them, and only those, then tell the BOFH how he did it.

If it was his OWN accounts that he cracked, not much cause for a hefty fine...or porrige.That's how I'd do it.

Oh, wait. Cattle prod/weekend in the tape safe?

2
0
Anonymous Coward

He's Right

"Internet will topple governments,"

He's right.

2
1
FAIL

Re: He's Right

You really think obese people in front of computers will achieve anything ?

Unemployed professionals in large numbers without electronic sedatives - they can achieve something. The intarwebs will achieve nothing while crumbled finance can achieve all sorts of highly nasty stuff.

2
0

Page:

This topic is closed for new posts.

Forums