US cybercrime lawyers have filed an appeal against the conviction and lengthy sentence imposed upon Andrew "Weev" Auernheimer in a high-profile iPad data leak case. Auernheimer, a member of the grey-hat hacking collective Goatse Security, was jailed for three years and five months back in March after he was found guilty of …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Tuesday 2nd July 2013 11:01 GMT Anonymous Coward

Insecure server makes it OK?

"Weev's conviction under the Computer Fraud & Abuse Act (CFAA) was heavily criticised in the security community because the leaked data was harvested from an insecure server."

Couldn't you say that about most internet facing servers?

"I launched an exploit against a server triggering a security vulnerability which rendered the server insecure and I collected information"

Not saying that they should give Weev zillion life sentences, just saying if this is his defense, it's shit.

1 4
1. Tuesday 2nd July 2013 11:21 GMT Anonymous Coward
  
  Re: Insecure server makes it OK?
  
  "triggering a security vulnerability"
  
  the security vulnerability was already there, it did not need to be "triggered"
  
  0 1
2. Tuesday 2nd July 2013 11:28 GMT NinjasFTW
  
  Re: Insecure server makes it OK?
  
  I don't think there was a 'hack' however.
  
  It was a poorly coded page that allowed you to enter random ICCID's it returned the customers details.
  
  Its not like they triggered a vulnerability in the web server that allowed them access to files on the server etc.
  
  1 0
  1. Tuesday 2nd July 2013 11:39 GMT Tom 38
    
    Re: Insecure server makes it OK?
    
    Not random, sequential IDs.
    
    1 0
3. Tuesday 2nd July 2013 11:59 GMT Anonymous Coward
  
  At that level of insecurity I would hope so
  
  Otherwise you would have no way of knowing whether following a URL would mean you had broken the CFAA. If the operator of the web site decided they didn't want you to access that page then you'd be guilty, even though there was no protection on the page whatsoever.
  
  1 0
  1. Wednesday 3rd July 2013 15:39 GMT Anonymous Coward
    
    Re: At that level of insecurity I would hope so
    
    Likely an excessive sentence, but if it's even started, it will be in a comfy min. security adventure camp.
    
    Weev is a self-obsessed and vain asshole, but will be a useful addition to the NSA or one of the several other "cyber-commands" once the charges are quashed to allow it.
    
    0 0
  2. Tuesday 9th July 2013 06:46 GMT Jamie Jones
    
    Re: At that level of insecurity I would hope so
    
    "Otherwise you would have no way of knowing whether following a URL would mean you had broken the CFAA. If the operator of the web site decided they didn't want you to access that page then you'd be guilty, even though there was no protection on the page whatsoever."
    
    Wasn't this an issue in the UK a while back?
    
    I seem to remember comments saying that this would mean you were guilty of hacking if you manually altered the URL (e.g. Going 'up a level' by deleting bacwards to the next forward-slash)
    
    Perhaps other readers remember more details...
    
    0 0
4. Tuesday 2nd July 2013 12:31 GMT myarse
  
  Re: Insecure server makes it OK?
  
  Did you also miss "Auernheimer then distributed the list of email addresses to media organisations as proof of the vulnerability, forcing AT&T to acknowledge and fix the security problem."
  
  No, having an insecure server with your customers' details is not OK and the only way to stop this happening is to name and shame companies which don't play nice when poeple tell them so.
  
  4 0
Tuesday 2nd July 2013 11:04 GMT Robert Helpmann??

...the only message this sends to the security research community is that if you discover a vulnerability, you could go to jail for sounding the alarm.

What the lawyer could not say is that this really encourages people who do this sort of research to turn the results over to the black hats, for profit.

6 0
Tuesday 2nd July 2013 12:31 GMT g e

"publicly available on the net"

Doesn't sound like a hack to me.

Moreover it sounds like AT&T were the ones responsible for distributing them.

2 1
Tuesday 2nd July 2013 13:26 GMT tony2heads

insecure set-up of AT&T's servers

Surely that's the way that the NSA wants!

I hope that he doesn't live to regret the name 'Goatse' for his company

0 0
Tuesday 2nd July 2013 14:56 GMT Candy

"The Electronic Frontier Foundation (EFF) has teamed up with law professor Orin Kerr, internet attorney and EFF fellow Marcia Hofmann, and Weev's trial lawyers Tor Ekeland and Mark Jaffe in filing an appeal with the 3rd US Circuit Court of Appeals."

One can only assume that Larry Lessig was not available...

0 0