back to article 'Weev' appeals AT&T iPad hack conviction

US cybercrime lawyers have filed an appeal against the conviction and lengthy sentence imposed upon Andrew "Weev" Auernheimer in a high-profile iPad data leak case. Auernheimer, a member of the grey-hat hacking collective Goatse Security, was jailed for three years and five months back in March after he was found guilty of …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Insecure server makes it OK?

"Weev's conviction under the Computer Fraud & Abuse Act (CFAA) was heavily criticised in the security community because the leaked data was harvested from an insecure server."

Couldn't you say that about most internet facing servers?

"I launched an exploit against a server triggering a security vulnerability which rendered the server insecure and I collected information"

Not saying that they should give Weev zillion life sentences, just saying if this is his defense, it's shit.

1
4
Anonymous Coward

Re: Insecure server makes it OK?

"triggering a security vulnerability"

the security vulnerability was already there, it did not need to be "triggered"

0
1
FAIL

Re: Insecure server makes it OK?

I don't think there was a 'hack' however.

It was a poorly coded page that allowed you to enter random ICCID's it returned the customers details.

Its not like they triggered a vulnerability in the web server that allowed them access to files on the server etc.

1
0
Silver badge

Re: Insecure server makes it OK?

Not random, sequential IDs.

1
0
Anonymous Coward

At that level of insecurity I would hope so

Otherwise you would have no way of knowing whether following a URL would mean you had broken the CFAA. If the operator of the web site decided they didn't want you to access that page then you'd be guilty, even though there was no protection on the page whatsoever.

1
0
FAIL

Re: Insecure server makes it OK?

Did you also miss "Auernheimer then distributed the list of email addresses to media organisations as proof of the vulnerability, forcing AT&T to acknowledge and fix the security problem."

No, having an insecure server with your customers' details is not OK and the only way to stop this happening is to name and shame companies which don't play nice when poeple tell them so.

4
0
Anonymous Coward

Re: At that level of insecurity I would hope so

Likely an excessive sentence, but if it's even started, it will be in a comfy min. security adventure camp.

Weev is a self-obsessed and vain asshole, but will be a useful addition to the NSA or one of the several other "cyber-commands" once the charges are quashed to allow it.

0
0
Silver badge

Re: At that level of insecurity I would hope so

"Otherwise you would have no way of knowing whether following a URL would mean you had broken the CFAA. If the operator of the web site decided they didn't want you to access that page then you'd be guilty, even though there was no protection on the page whatsoever."

Wasn't this an issue in the UK a while back?

I seem to remember comments saying that this would mean you were guilty of hacking if you manually altered the URL (e.g. Going 'up a level' by deleting bacwards to the next forward-slash)

Perhaps other readers remember more details...

0
0
Bronze badge

...the only message this sends to the security research community is that if you discover a vulnerability, you could go to jail for sounding the alarm.

What the lawyer could not say is that this really encourages people who do this sort of research to turn the results over to the black hats, for profit.

6
0
g e
Silver badge

"publicly available on the net"

Doesn't sound like a hack to me.

Moreover it sounds like AT&T were the ones responsible for distributing them.

2
1
Bronze badge

insecure set-up of AT&T's servers

Surely that's the way that the NSA wants!

I hope that he doesn't live to regret the name 'Goatse' for his company

0
0
Coat

"The Electronic Frontier Foundation (EFF) has teamed up with law professor Orin Kerr, internet attorney and EFF fellow Marcia Hofmann, and Weev's trial lawyers Tor Ekeland and Mark Jaffe in filing an appeal with the 3rd US Circuit Court of Appeals."

One can only assume that Larry Lessig was not available...

0
0
This topic is closed for new posts.

Forums