back to article 'Weev' attempts to overturn AT&T iPad 'hack' conviction

Lawyers for Andrew "Weev" Auernheimer went to court on Wednesday to appeal his conviction in a high-profile iPad data leak case. Auernheimer, a member of the grey-hat hacking collective Goatse Security, was jailed for three years and five months back in March 2013 after he was found guilty of leaking the private email …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    WTF?

    So...

    It's basically the fact that he wrote a script to do something that he could have done one by one manually that got him a couple of years of jailtime ?

  2. Anonymous Coward
    Anonymous Coward

    Land Of The Free needs to be renamed Land Of The Incarcerated.

    Do you think US citizens will ever have a revolutionary war of independance against a government of tyranny that subjects them to such poor laws?

  3. Valeyard

    Wrong charge

    Right guy, wrong charge. He did so much else he deserves to be put away for, but this really shouldn't have been a crime

    1. Anonymous Coward
      Anonymous Coward

      Re: Wrong charge

      What, for hacking Amazon because they reclassified gay literature as pornography?

      Oh because he's a troll, except he's a troll in the old use of the word. I think the GNAA are actually quite funny. I rather enjoyed the media coverage of the Sandy Loot Crew.

      You are free not to and might not like him, but I haven't seen or heard anything that he's done that deserved three and a half years in federal nick.

      1. Valeyard

        Re: Wrong charge

        Pretty much ending a woman's entire career and necessitating her housemove for one..

        but nah women don't count, as long as you stick it to a corp

  4. Mark 85

    If he had worked for NSA

    He would have received a medal. OTOH, he peeked into a wide-open server and it's called hacking? And he's be prosecuted by lawyers and before judges who have no clue? In the military, we had the UCMJ which paraphrased into Uniform Code of Marsupial Justice. This seems to be the current state of the US judiciary lately.

    I'm sure there's other things he did since he's "grey-hay"... but he told them what he found and didn't use it for evil. Sort of like telling a store owner he left the front door to his business unlocked last night and then getting jailed for breaking and entering. BS.

    1. A J Stiles

      Re: If he had worked for NSA

      That's the new way of doing security: Wait for some honest person to point out a gaping hole in your defences, then blame them for it.

      1. NumptyScrub
        Trollface

        Re: If he had worked for NSA

        quote: "That's the new way of doing security: Wait for some honest person to point out a gaping hole in your defences, then blame them for it."

        Unfortunately there is no "honest person" in your example; finding the gaping hole is apparently a crime in and of itself ^^;

        Fortunately it does lend itself to the interpretation that information on your computing device is "protected" from foreign actors via that same legislation; e.g. the WhatsApp trawling of people's contact databases on the phone is a similar CFAA offense.

        You may even be able to persuade people to indict Facebook for "handling stolen goods" (aka the WhatsApp contact databases purloined from people's phones) if you're lucky :D

        1. phuzz Silver badge
          Alert

          Re: If he had worked for NSA

          Technically WhatsApp asked your permission to trawl through your contacts. Of course, most people (including me) just clicked 'Accept'.

  5. Gordon 10

    Guilty

    Like it or not - he mined data and published it. How easy it was or not is immaterial.

    However pure his motives (and I suspect there was an element of frustration and "for the lols" involved) - he broke the law.

    I do think his punishment is well out of proportion to the crime - I presume the law he was charged under didnt allow a more leinient sentence.

  6. Tiny Iota
    Mushroom

    Insecure = ok?

    So, because the server was insecure and he didn’t have to try very hard to get the data, that gives him the right to get it?

    While I know there is an obvious difference between copying and stealing, in that copying doesn’t deprive the original owner of the thing itself, an analogy is if someone steals the plant pots from your front garden, have they not committed a crime, just because it was easy to do? The plant pot wasn’t fixed to the ground. There is no fence around the front of my house. So it was a very insecure plant pot, it was fair game and I deserve it?

    No, I don’t think so. I think he’s guilty. Whether it deserves over 3 years in prison is something else, but there’s no way his conviction should be overturned, based on that line of defence at least.

    1. John G Imrie

      Re: Insecure = ok?

      So, because the server was insecure and he didn’t have to try very hard to get the data, that gives him the right to get it?

      No.

      He went to the server and said give me all the data you are allowed to give me. And then told AT&T that it had given him all these email addresses.

    2. Mystic Megabyte
      Unhappy

      Re: Insecure = ok?

      I find your plant pot analogy to be wrong.

      Say that I'm on the subway and and man next to me has fallen asleep with an open folder on his lap.

      I cannot but help to read some confidential information and then tell it to my friends. Is that hacking?

      1. big_D Silver badge

        Re: Insecure = ok? @mystic

        Yes, a much better analogy.

        And the guy didn't publish the results (according to the article), he handed it over to a "news" site, which published a redacted list - which usually means that personally identifiable information is removed.

        If he had sold the information to an identity theft ring or something, I could understand him being prosecuted. In this case, from the details in the article, it seems he actually responded fairly ethically with his find.

        Unclear from the article is whether he first approached AT&T and they told him to bugger off or whether he went straight Gawker.

  7. M7S

    Alas I am reminded that here in the UK we've been similarly stupid

    Regarding Daniel Cuthbert of the infamous DEC Hacking case.

    http://www.theregister.co.uk/2005/10/11/tsunami_hacker_followup/

    So whilst the presentation of "fact" by the prosecutor in this newer instance offends our professional opinion, glass houses and stones.

  8. Anonymous Coward
    Anonymous Coward

    Whistleblower?

    Auernheimer did not cause any criminal damage. Nor did he change any part of the server, it was already insecure.

    Auernheimer did not profit from the escapade. He could have sold the list on the black market instead he voluntarily shared it with Gawker.

    Auernheimer did highlight the incompetence of 'public officials' which as far as I can reason is closest to whistle blowing. A person does not have to be an employee to be a whistle blower, they only need to be "making a disclosure in the public interest".

  9. Shades

    Speaks Volumes

    "This was a hack," Assistant US Attorney Glenn Moramarco (inarticulately) argued. "He had to decrypt and decode, and do all of these things I don't even understand."
    Words fail me!

    1. mIRCat

      Re: Speaks Volumes

      "This was a hack," Assistant US Attorney Glenn Moramarco (inarticulately) argued. "He had to decrypt and decode, and do all of these things I don't even understand."

      I may be a simple country lawyer, but this mega telecommunications company tells me this man was hacking their computers from the intertubes. Now if there's one thing I know about hacking, it's that this man is guilty of it!

  10. FrankAlphaXII

    >>Neither Weev not AT&T is based in New Jersey, where the prosecution was heard.

    Thats a puzzling statement given that AT&T's global network operations center is in Bedminster, NJ and the former AT&T Corporation from the Bell System breakup until the SBC merger was headquartered there, I'm sure they have pull with the prosecutors still. The Corporate Headquarters may be in Dallas now but the infrastructure is in New Jersey still.

    1. Anonymous Coward
      Anonymous Coward

      tax purposes

      It's registered in NJ for tax purposes (or at least it was in the '90s when I worked for them)

  11. Anonymous Coward
    Anonymous Coward

    You enter someone's house and take something that doesn't belong to you, it's theft.

    It doesn't matter that they left the front door wide open, it is still theft.

    1. NumptyScrub

      quote: "You enter someone's house and take something that doesn't belong to you, it's theft.

      It doesn't matter that they left the front door wide open, it is still theft."

      Pictures. You enter someone's house and take pictures of their stuff, leaving the originals in place. You then give those pictures to a newspaper.

      Is that theft? No. Is the newspaper handling stolen goods? No. Is entering their house through a wide open front door "breaking and entering"? No. It's trespass at best, and here in the UK that is a civil matter, not criminal.

      And in this instance, it is more analogous to entering a shop lobby through a wide open front door, because this information was taken from their public facing webserver. A computer that the public are invited to contact and make requests of.

      Or in other words, if I were to walk in to Best Buy, take photos of information displayed on payment terminals inside the store (showing transaction details for people buying goods, for instance), and then give those pictures to a newspaper, I've done a meatspace Weev. "Here is a copy of personal information that was left publicly visible at the Best Buy store, they should secure this stuff better LOL".

      And a judge could say "This was a hack, they did 'shoulder surfing' and 'photographing' and all these things I don't even understand." and then give me a several year custodial sentence for hacking and identity theft.

      People consistently use (sometimes deliberately) incorrect analogies in order to reinforce their point. I may well have done so above, and I would be happy for someone to correct this with something that better represents the action of copy-pasting from a browser window, after sending an HTTP GET request to a webserver that was willingly fulfilled by the aforementioned server.

  12. boba1l0s2k9
    Terminator

    Chilling effect....

    The particulars of this case would, in my mind, immediately kill the case. The fact it hasn't says something very scary about how we define "hacking". If his appeals aren't successful, as a side effect I think we'll see less publicity from grey/white hijackers, combined with more gubmint attacks on good hackers...

    Net result == fewer white hat hackers, fewer vulns being reported in the open, more innocents in jail. More hackers will work with companies that silently make payments to learn about new bugs, to be sold at a premium to big companies, governments, etc. so they can exploit the flaw. It's key that the 0day vendors not notify the party which has the bug in their product(s)/site(s). Compare that outcome vs. the man in this case who found a bug and went public. If he can't win his court cases all us IT folk are going to have to be ever more careful about how we report bugs. Or perhaps better for us: use a cash-for-zeroday.

  13. chris lively

    I think its about time that attorneys become certified as to the specific areas of the law they are allowed to argue over. If it's a tech case then the attorney should have a cert stating they actually know what a bleeping computer is.

    Kind of like doctors. A general practitioner would likely be jailed for attempting to perform brain surgery. A lawyer without a certification in tech should be barred from even being in the room.

  14. kain preacher

    One thing to remember

    Theft in the US not defined as permanently depriving some one. It's merely taking some thing you are not allowed to have. Hence data theft. Now the RIAA confuses copyright/counterfeiting with theft.

  15. Stevie
    Mushroom

    Bah!

    Let's understand something here. Getting into the server means figuring out a credential hack. Once that is done, the "innocent" thing to do is to contact the server owner and send them the credentials as proof of the hack.

    I find your front door open I dial 911 and tell the cops so they can contact you.

    Going for a wander around to see what's what suggests a rather more sinister agenda even if all he got was some e-mails.

    I take photos of your front room after wandering through them all and copping a good look at your sleeping daughter. Only the fact that you didn't see me in her room stops you from taking an axe-handle to my head.

    And AT+T's people aren't "public servants" as one commentator suggests, they are corporate employees. They don't work for you, they work for a large multinational corporation that has a well -known sensitivity about its computers and is able to afford the legal heft to do something about it if they find an intruder has been at the family china.

    I have to question the intelligence of someone who breaks into a machine belonging to such an entity, then goes for "lols" to prove he did it.

    When did the "if it doesn't belong to you don't touch it" rule stop applying? And why, after so many people getting their fingers slammed in the till drawer, can't these "security hole alerters" realize that they are *never* as clever as they think they are?

    I'm waiting for the inevitable "Asperger's Defense" to be filed and for the inevitable downvotes from those who thought that pulling out the upholstery and carpets from a new car and hosing it out with water was not at all suspicious for a murder suspect.

    1. NumptyScrub
      Trollface

      Re: Bah!

      quote: "Let's understand something here. Getting into the server means figuring out a credential hack."

      Nope, in this specific case it was simply editing the HTTP GET request made to the server to insert different ID numbers, e.g. instead of

      http://www.att.com/accounts/details.php?ipad_id=12345678

      you instead go for

      http://www.att.com/accounts/details.php?ipad_id=12345679

      and the webpage you get back has someone else's email address on it. No login required.

      Hopefully that should put this quote from the article in a new light:

      "This was a hack," Assistant US Attorney Glenn Moramarco (inarticulately) argued. "He had to decrypt and decode, and do all of these things I don't even understand."

      quote: "I find your front door open I dial 911 and tell the cops so they can contact you.

      Which of course Invites the question of what you were doing looking at someone else's front door? Would you mind stepping to one side and turning your pockets out for us sir?

      quote: "When did the "if it doesn't belong to you don't touch it" rule stop applying?"

      Apparently at least several centuries ago, although it is more likely to be further back at the point that "rulership" was defined as a concept back in the mists of time. If you can reconcile "if it doesn't belong to you don't touch it" with the concepts of "search and seizure", "border control", or even "taxation" then you are a better (or arguably worse) man person than I. All my attempts end up sounding suspiciously like Communism (and/or Socialism).

This topic is closed for new posts.

Other stories you might like