back to article Weev gets 41 months in prison for exposing iPad strokers' privates

Andrew Auernheimer, a member of the grey-hat hacking collective Goatse Security, has been sent down for three years and five months in the slammer after he helped leak users' private email addresses via a flaw in AT&T's servers. Auernheimer, known online as Weev, received his sentence wearing shackles after he tried to bring a …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    If you tried the same trick on someone's front door you wouldn't be able to use the excuse that you were doing security research.

    The servers aren't his property, therefore he is not allowed to play around with them, simple as that.

    If you want to hack hardware and software then make sure it is your own!

    1. Anonymous Coward
      Anonymous Coward

      God you're stupid. Comparing it to a front door is a childish attempt at misdirection.

      If nobody performed these kinds of investigations then the only people doing it would be criminals, and guess what, people stealing your details for profit aren't going to tell anybody about the flaw (except maybe other criminals for a tidy profit). Also telling the company responsible for the flaw rarely gets you anywhere (particularly if it's a big company) apart from occasionally a gagging order or prison.

      No this person did one thing wrong, and that was embarrass big business.

      1. cirby

        Except...

        A real "good guy" hacker would find the exploit and demonstrate it - without grabbing all of that data and handing it over to someone else.

        Likewise, someone who knew how to pick a lock wouldn't break into the house and rummage through the belongings of the people inside - he'd go to the manufacturer and show them how he did it, or wait and demonstrate the flaw at a conference.

        That "companies won't respond" line is pretty much false - it's an excuse given by hackers when they get caught doing something stupid. Usually, it's a lazy but egotistical hacker-wannabe who wants to make the headlines, but doesn't want to bother with actually calling the persons who are responsible for said security flaws. "I contacted the company" usually boils down to "I called their PR department, and they told me it was the wrong number."

      2. Tom 35 Silver badge

        If he did try it on some ones front door, and even helped him self to a TV, and some how the cops bothered to look for him I don't think he would be spending any time in jail.

        His other fault was not kissing the Judges arse.

      3. Anonymous Coward
        Anonymous Coward

        Not stupid - the law is the law.

        @ anon 18/3 @18:56

        If nobody performed these kinds of investigations then the only people doing it would be criminals, and guess what, people stealing your details for profit aren't going to tell anybody about the flaw (except maybe other criminals for a tidy profit). Also telling the company responsible for the flaw rarely gets you anywhere (particularly if it's a big company) apart from occasionally a gagging order or prison.

        Nope. "These kind of investigations" can be performed without immediate disclosure of personal information. Even if he downloaded data, he could have kept that confidential and use responsible disclosure to make AT&T aware of the issue, with a time clause to get their rear ends in gear but again without disclosure of personal details.

        I was once asked to verify if information protection was in place in a location which I am not allowed to name. When I found a route in, I had my big boss tell me I should copy a document from that service as proof. I told him that I was happy to show an authorised member of staff what to do and grab the data, but there was NO WAY I would touch a document myself. If, by any chance, information leaked about the data that I had copied, guess who would be suspected first? Not a chance.

        In my experience, teaching beginners about security properly rarely involves teaching them technical things - that inclination tends to come with the package. Making them think about consequences is FAR more important.

        Was the sentence appropriate? No, but if you piss people off by not giving them a chance, you risk that they throw the book at you. This is the point where you realise that people matter..

      4. WatAWorld

        God you're stupid to make the remark "God you're stupid".

        As it is, the only people doing it are criminals. Did you not read the article? Do you not understand the law?

        You could make the same lame "if we didn't do it only criminals would be doing argument' with front doors of homes too, it would be equally invalid.

        1. Chris007
          Mushroom

          And you're a fuckwit for saying "God you're stupid to make the remark "God you're stupid"." and the rest of the pish you wrote.

          "As it is, the only people doing it are criminals" - what bloody planet are you living on, you moron.

          My initial thought was I hope you don't end up in a situation where you end up jail for something that caused NO damage, NO financial loss (other than paying coders to fix the sloppily installed server) and he sought NO financial gain but then I thought "you know what it might be the wake up call WatAWorld needs"

          1. Anonymous Coward
            Anonymous Coward

            I hope you don't end up in a situation where you end up jail for something that caused NO damage, NO financial loss (other than paying coders to fix the sloppily installed server) and he sought NO financial gain

            Chris, that isn't the problem. Those facts may act as mitigation to lower a sentence, but the bottom line is that a law was broken, and someone got punished for it. The guy got convicted exactly because there are other ways to do this, and he didn't even try any of those alternatives.

            Was the sentence excessive? In my opinion, yes, but those are the dice you roll when you break the law. He didn't exactly help himself by not showing remorse either (which no doubt contributed to the sentence).

      5. Nuke
        Thumb Down

        @ AC (18:56) - Re :

        Wrote :- "If nobody performed these kinds of investigations then the only people doing it would be criminals"

        Weev is a criminal. For future reference, a "criminal" is someone who commits a crime

        1. tekHedd
          Pint

          Re: @ AC (18:56) - Re :

          " For future reference, a "criminal" is someone who commits a crime"

          True, but not relevant. People are clearly using the term "criminal" here to mean "someone who deserves to be convicted" instead of "someone who *was* convicted." While not strictly correct, the rest of the pedants (and I include myself in this group) seem to be coping just fine. I find that beer helps.

          1. clean_state
            FAIL

            Re: @ AC (18:56) - Re :

            not quite: a "criminal" is someone who gets afoul of penal law, i.e. commits a deed that the state deems harmful enough to society to commit public funds to prosecute it and punish it with a jail sentence.

            In this case, please demonstrate the harm to society. There does not seem to be any, actually, there is a benefit in the flaw being promptly fixed by AT&T.

            The fact that there is a penal law that allowed this conviction just means that the law-making system is corrupt enough for such a law to exist. This law is an aberration so upholding it to quai-religious standards with statements such as "the law is the law" is pretty short-sighted.

            But well, with the Supreme Court declaring that bribing a politician (election money) is "free speech" and protected by the first amendment, you guys are in big trouble.

    2. koolholio
      Joke

      Aslong as you dont distribute the code and its not a Sony Playstation!

    3. LarsG
      Meh

      The justice system

      Needs to be updated from 1.0 to 101.9.

    4. Wzrd1

      "If you tried the same trick on someone's front door you wouldn't be able to use the excuse that you were doing security research."

      That was the point I was going to make. If my front door has a cheap lock, that doesn't mean a random stranger may pick the long and toss my home.

      If you want to hack hardware and software, but don't want to hack your own, get a contract with the owner. You'll turn a nice profit and hack to your heart's content.

  2. This post has been deleted by a moderator

  3. Anonymous Coward
    Anonymous Coward

    Importance

    ... or lack thereof: Auernheimer will find out how little of it he has, very soon now. The only importance he has is self-importance.

  4. ratfox Silver badge
    Devil

    Showing no contrition

    If there is one thing that the justice system hates, it is criminals who don't make at least a show of regretting what they have done. It is a bit like declaring at the customs that your job is smuggling. I bet the sentence would have been way more reasonable if he had "treated them with respect".

    1. Knochen Brittle

      Contrition is a religious concept,

      and one easily mimed, for which there should be no consideration in a rational and fair legal proceeding.

      What you are really referring to is the practice of pandering to the sentencing Judge's pampered sense of sadism by engaging in a (generally lawyer-advised) ritual bout of 'voluntary' self-abasement taking the form of grovelling apologies and abject pleas of misericordia. Those who are innocent or proud refuse to engage in this extra-judicial public auto-flagellation and so are otherwise punished with a more severe sentence within the (corrupt) Judge's 'discretion'. Those who do, get the sentence already decided upon - i.e. gain no benefit from the humiliation.

      Another weighty factor here are the desired political effects, of which I can see two:

      1. The lower classes must (re)learn that their place is toiling in silence, not embarrassing OverLords with disclosures about their vulnerabilities or crimes - lulz, satire or free speech against the ruling mafia will be severely punished.

      2. Hackers must learn to tremble in pre-emptive fear of the Pentagovernment, and quietly render any discovered 0-Days to the CyberOffence Command for Droit-de-Seigneur-style exploitation against the fabricated enemies-du-jour, both foreign and domestic.

      Of course, for the morose US legal body, in which the highest value is the perpetual impunity of State warcriminals and torturers, this kind of savage result is achieved during coffee breaks, hardly even counting as in the day's work.

      So, au contraire - it's a filthy, rotten Injustice System, which earns no respect but rather an immeasurable contempt.

      Free All Political Prisoners, Free Weev!

      1. ratfox Silver badge

        Re: Contrition is a religious concept,

        I think you don't get it. The point of the justice system is to get people to act legally. There were plenty of ways to report the flaw without sending private user data to the press. It was even possible to publicly embarrass the company by revealing the flaw without actually leaking private user data. So Weev broke the law without any proper justification, not even that of being a whistleblower. Satire is protected free speech, but lulz is not.

        In that case, the job of the justice system is to first, point out that this is illegal, and second, to deter people from doing it. When the accused is proudly admitting breaking the law and claiming it is the right thing to do, the justice system has to make it especially clear that no, it is not. And the more the accused insists on advertising his claims, the harsher the justice system has to be.

        It is not about forced humiliation. Here, just shutting up would have been preferable.

        1. Knochen Brittle

          "The point of the justice system is to get people to act legally"

          That's the kind of touchingly infantile political naiveté so essential to the class of people who design and use that system to subdue the masses into acquiescence, allowing their injustice to continue unhindered. Well done!

          Your practically religious resistance to reality would be admirable, if it did not have such severe consequences.

          Check this and see if you still agree with yourself:

          http://www.freegarytyler.com/writings/isr.html

          1. Anonymous Coward
            Anonymous Coward

            Re: "The point of the justice system is to get people to act legally"

            "That's the kind of touchingly infantile political naiveté so essential to the class of people who design and use that system to subdue the masses into acquiescence, allowing their injustice to continue unhindered."

            Yes, like a telephone company who store people's email.

            FIGHT THE POWER!

            DOWN WITH TELEPHONE COMPANIES WHO SUPPLY EMAIL TO IPADS AND ALL THEIR DESPOTIC SYSTEMS OF INJUSTICE THAT SUBDUE THE MASSES INTO ACQUIESENCE!

            etc etc, till you turn 14 years old

          2. Anonymous Coward
            Anonymous Coward

            Re: "The point of the justice system is to get people to act legally"

            Hahaha. HahahaHAAAAhahaha hihi hahahahahah HAHAHAHA. Sorry, haha, let me catch my breath, hahahaha. Hah. Hihihi. So someone gets a few years in the slammer because he behaved like an idiot, and you compare this to a death row situation? Seriously?

            The evidence was very clear and simple, no doubts there. Secondly, he had plenty of opportunity to follow legal routes to make this problem known, he chose not to. Thirdly, he didn't even have the brains to even *pretend* to have remorse at his trial, so they threw the book at him. Don't you think your reference may just be a teeny weeny bit irrelevant and OTT? No?

            As for the rest of your rant, the law is there to enable a livable society. Your contract to derive rights from participation in that society is contingent on making an effort to follow the law and the obligations a society imposes on you. If you break the law, you harm the rights of others which can lead to punishment. Granted, that system could be improved but the principles are there. If you don't like those obligations and laws (aka rules), in most societies you also have the right to leave.

            A couple of years in less enlightened sections of the planet may prove educational anyway.

        2. JEDIDIAH
          Linux

          Re: Contrition is a religious concept,

          No. You're just kidding yourself. You're assuming that the corporation will act in good faith when that is the least likely thing to happen. Even multiple public shamings and large jury awards don't always encourage corporations to do the right thing. Assuming that they would mend their ways because of a polite little note is absurd bordering on being a diagnosable psychological disorder.

          Despite his other conduct, exposing this to the world was a valuable public service. We would never have known otherwise and AT&T would never have any motivation to clean up their act.

          1. Anonymous Coward
            Anonymous Coward

            Re: Contrition is a religious concept,

            Believe it or not, companies don't actually want to expose their customers personal information to the internet. There's laws against them knowingly doing it etc. Data protection law etc. Naming and shaming publicly really isn't in anyone's interest. I know, as I've worked on these things, with these companies. They're not overly keen on going to jail, like most people.

            But you crack on, publishing individuals personal details on the net is the only way to achieve change.

  5. NukEvil

    derp derp

    If you don't like it, stay the hell out of our country. We are happy to let our corporate overlords rule us to death with impunity, and we would greatly appreciate it if that annoying constitution didn't make such a racket when being flushed down the toilet so often.

    Already, we're having people that believe that our government is still held accountable by its people.

    Join me, fellow citizens of the State, in bowing down to worship our overlords--both corporate and the oligarchy that is our government--in this momentous great day. A day in which a criminal has met his karmic punishment at the hands of the very tools he used to commit great crimes. The first letter in each line in this comment should accurately describe our judicial system.

    1. MondoMan
      WTF?

      Re: Idrajokl????

      Your formatting or my lack of understanding?

      1. Ole Juul Silver badge

        Re: Idrajokl????

        It's a puzzle. HTML wraps unless you use /pre or line breaks (/br). In this case I get IwbAJtta at my usual 120% and IdrAJopc at 100%.

        1. NukEvil
          Trollface

          Re: Idrajokl????

          Hmm. Let's see, either I can blame myself for not taking the screen size/format settings of others into consideration, or I can blame others for not being able to see it properly. Hmmm...

          Perhaps a screenshot will do for those of you who use a browser that refuses to follow basic web standards:

          http://i.imgur.com/NHBiGMm.png

  6. Eddy Ito Silver badge

    I don't get the $72,000 restitution to AT&T. Is this what it cost them to fix their own shoddy code? Certainly AT&T haven't suffered anything other than a little arse ache which they rightly deserve.

    Granted, he could have been a bit less smug about it but he might have seen the writing on the wall over the course of the trial by paying attention to the judges reactions. Judges like to appear unbiased but most every time I've done jury duty it's been pretty clear what the judge's opinion was by the second day.

    1. Steve Knox Silver badge

      I don't get the $72,000 restitution to AT&T. Is this what it cost them to fix their own shoddy code?

      More likely it's what it cost them to notify their affected customers and deal with hacks related to the breach of information (possibly x3 as that's a popular punitive proportion.)

      1. C-N
        Trollface

        A Great Way to Finance Your Business

        1. Build shabby website.

        2. Wait for inevitable "hacking" attempt. (could simply be a frustrated sustomer, who cares)

        3. Get gov't to prosecute & sue for restitution

        4. Use restitution to hire engin^H^H^H^H more marketing!

  7. rictay
    Facepalm

    Freedom of the Internet? In your mind, chum

    "...The Internet is bigger than any law can contain...." This is a common misunderstanding of what the Internet is. Internet means "Internetwork" - it consists of dozens of corporate networks plugged together with a common comms protocol.

    I've worked on Internet development projects since the 90s and am constantly amazed by the naive drivel that passes for expertise today.

    If the network administrators of those cooperating networks decided to block any traffic that neither originated from nor was destined for their own users, ie their networks became private again, then your precious Internet would disappear overnight. You'd be back with the CompuServe model again, ie, the only services available would those provided by, or approved by your ISP.

    Same if "The Law" made those network administrators responsible for the porn, trash, hackers, spam, pirated music, films, and software that crosses their networks. Dozens of corporate networks would become private again overnight and bang goes the Internet. Don't think it hasn't been discussed. Don't think it can't be done.

    1. Mr Anonymous
      FAIL

      Re: Freedom of the Internet? In your mind, chum

      So have I, what a load of old guf you're spouting, closed networks = less money, therefore we will not see a return to AOL or CompuServe.

      However, Fecalbook would certainly like to see a hybrid model of their users and other companies paying for the network, while they extract all the cash.

  8. IT Hack

    Big People

    And yet again the US judiciary and public attorneys so that they are not interested in the safety of the plebs who use the net...but only the big boys.

    These stories do nothing but reinforce my reticence to ever go back to the US...

    1. Anonymous Coward
      Anonymous Coward

      Re: Big People

      Actually this shows that at least one person in the US Justice Department cares about the little guy.

      You can't have people going around tossing rocks through windows 50,000 at a time in order to demonstrate that glass windows are insecure and getting away with it.

      The, "If I didn't throw rocks through windows only crooks would through rocks through windows" argument just does not hold water.

      1. IT Hack
        Pint

        Re: Big People

        Firstly I feel I need to apologise for the above horror show of a post. Not in terms of spelling mistakes but rather missing entire letters out! Not good.

        I also failed to be clear what my actual objection was.

        The length of the jail sentence is far too extreme for the level of the "crime". Given that the data was available on a open web server. Rather than censuring AT&T for lax security the judge and prosecutors went after the security researcher. Not that he is entirely innocent...but at most he's guilty of foolishly not thinking through how to report his findings in a more...professional manner.

        The only reason the guy was sentenced to a ridiculously long amount of time, and fined to boot, was because he made AT&T look foolish, and had emails of people in positions of influence and power. If all those emails had been ordinary folk I bet you he'd have never been sentenced to such a long time in prison.

        Of course this is only my opinion and I could well be wrong and you would be right in presuming that I am typing this in a ranty rage. However it is quite clear that when it comes to computer "crimes" the US does tend to take things to an extreme...it either being driven by prosecutors wanting to make a name for themselves (and judges) or powerful people able to hire suits that the defendant just does not have the resources to compete against.

        Pint coz well ranty rages are a thirsty business, right? ;)

        1. Fred Flintstone Gold badge

          Re: Big People

          Firstly I feel I need to apologise for the above horror show of a post. Not in terms of spelling mistakes but rather missing entire letters out! Not good.

          Hey, happens to me too. Not a problem :)

          The only reason the guy was sentenced to a ridiculously long amount of time, and fined to boot, was because he made AT&T look foolish, and had emails of people in positions of influence and power. If all those emails had been ordinary folk I bet you he'd have never been sentenced to such a long time in prison.

          I think it probably had more to do with the fact that the judge couldn't really see any remorse for his activity. The idea of a punishment is to prevent a repeat or correct behaviour. If the accused has already spotted where they screwed up (or can act convincingly, let's be realistic), the sentence needs not to be that harsh to ensure lawful behaviour.

          If the accused doesn't show remorse, the sentence gets harsher because it still has to be made clear to the defendant that what they did was A Really Bad Idea, and because leniency could otherwise encourage other idiots to act in the same way. IMHO, the situation is aggravated by the fact that US works on precedent - if this guy had been able to walk off with a short holiday it would have set precedent for similar cases.

          I'm not entirely clear what the AT&T restitution was for, though.

          1. Anonymous Coward
            Anonymous Coward

            Re: Big People

            " If the accused has already spotted where they screwed up (or can act convincingly, let's be realistic), the sentence needs not to be that harsh to ensure lawful behaviour."

            So from your parentheses, you accept that the contrition bit is just theatre? Certainly appears to be standard in the local rag "before the magistrates", where week after week repeat offenders get lighter sentences by bleating on about how sorry they are, how they suffered exceptional misfortune themselves, and promise upon their mother's soul to go straight as soon as they are free.

            If the judges are sufficiently daft to go along with this nonsense, then perhaps the pols need to set tarrifs themselves, and abolish judges discretion in sentencing.

          2. IT Hack

            Re: Big People

            @ Mr Flintstone

            Whew! I'm not the only one! I've been leaving out entire words recently...must lay off the pints ;)

            It's not easy to show remorse for something that really wasn't bad as such. He should have tempered his language though. Either way though it is still an entirely over the top sentence. Ultimately the only thing he really did wrong was going about his research the wrong way...and ending up in a court with a judge who is not tech savvy to the extent that the intricacies of this kind of work is understood.

            I reckon the AT&T fine was just putting the boot in for the hell of it.

  9. This post has been deleted by a moderator

    1. WatAWorld

      Re: computer crimes

      He did not make a political protest, he did not create a work of art, he posted people's personal data.

      What he did has about as much to do with freedom of speech as, for example, not picking up his dog's poop in the park or raping a woman.

      1. Chris007
        Flame

        Re: computer crimes

        You again...ffs will you take the time to do some research and ** try ** to the understand the points that the post you replied to was making.

        Not sure what your problem is but you have a seriously deluded view of the world.

      2. Keep Refrigerated
        FAIL

        Re: computer crimes @WatAWorld

        Because we put people in prison for 3 years for not picking up dog poop? Because altering a URL and then creating an automated script is a crime on par with forcing yourself upon a woman and subjecting her to a despicable assault such as rape?

        People who think like you are the reason this world is so f**ked up.

      3. Vic

        Re: computer crimes

        > not picking up his dog's poop in the park or raping a woman.

        I wish I had more than one downvote to assign...

        Vic.

    2. Anonymous Coward
      Anonymous Coward

      Re: computer crimes

      Yes its being punished too heavily. What it means in practise is that people who find an exploit now know they keep stumm about it---just as people I knew working for a large corporate in the 90's did---or use it from criminal purposes. What not to do is publish it or brag about it. I saw people get in trouble for revealing back doors, or being suspected as a `hacker'. I even kept my crack scripts in zombie accounts!

  10. Mike Moyle Silver badge

    Redaction...?

    Based on this one article, it sounds like he didn't redact any of the customers' information before sending the data to Gawker to publish. That's making a lot of third parties pay in aggravation (and the possibility of identity theft, etc.) for their ISP's failure. Frankly, AT&T's embarrassment is of zero importance to me -- punishing users for their choice of connectivity vendor strikes me as being more than a bit of a dick.

    He could have -- relatively easily, I'm sure -- redacted the information in such a way that Gawker or some other news outlet could have presented it to ATT, asking for confirmation that it was theirs and asking if they were aware of the flaw in their security, without leaving the users hanging in the wind.

    Also, there is no mention of how LONG he waited for ATT to fix the flaw before going past them for the publicity Three days...? A week...? Three months...? This has bearing, I think, on whether his actual goal was giving ATT a genuinely reasonable amount of time to verify the problem, fix the code, test the fix, and roll it out, or whether it was just to cover his ass with the "Well, I TOLD them and they did NOTHING so I HA-A-A-A-AD to go over their heads" defense.

    1. Anonymous Coward
      Anonymous Coward

      Re: Redaction...?

      I used to use the name gawker on irc a long time ago, hope they don't get confused and arrest me!

  11. Andus McCoatover
    Windows

    Idiot!

    Why didn't he create a couple of his OWN accounts, then try to cack them, and only those, then tell the BOFH how he did it.

    If it was his OWN accounts that he cracked, not much cause for a hefty fine...or porrige.That's how I'd do it.

    Oh, wait. Cattle prod/weekend in the tape safe?

  12. Anonymous Coward
    Anonymous Coward

    He's Right

    "Internet will topple governments,"

    He's right.

    1. Anonymous Coward
      FAIL

      Re: He's Right

      You really think obese people in front of computers will achieve anything ?

      Unemployed professionals in large numbers without electronic sedatives - they can achieve something. The intarwebs will achieve nothing while crumbled finance can achieve all sorts of highly nasty stuff.

      1. Fred Flintstone Gold badge
        Thumb Up

        Re: He's Right

        You really think obese people in front of computers will achieve anything ?

        *Love* the sarcasm :)

    2. Anonymous Coward
      Anonymous Coward

      Re: He's Right

      But other than that, he's just stupid thief.

  13. Steve Mann

    Bah!

    He should have used the time-honoured "Asperger's" defense.

    1. Anonymous Coward
      Flame

      Re: Bah!

      No he shouldn't. He did us all a service by exposing what is really going on. These days, you are not punished for actual crimes, but for the Crime Of Embarassing Important People.

      Whenever you have an interview, tell people you won't travel to the US on business duty, as you don't trust their justice system. Stop buying American goods. Buy ARM-based computers. Stop drinking Coke. Maybe that will send a message.

  14. Anonymous Coward
    Anonymous Coward

    Its a fair sentence.

    It is a fair sentence. This isn't the wild west.

    If you steal from an unlocked home it is still burglary. It you steal a car that has the keys in the ignition it is still car theft.

    If you have to fiddle to get the data, then you're into the analogy of glass windows that break and cars that can be hotwired.

    1. Yet Another Anonymous coward Silver badge

      Re: Its a fair sentence.

      No he didn't break anything, he didn't damage anything, he didn't deprive the owners of anything and didn't cost any of the owners of the data anything in lost sales.

      What he did was the equivalent of the USPS selling an envelope that was transparent if you held it upto the light - he held some envelopes of senior US govt figures upto the light, pointing out that the Russians/Chinese/n Koreans/Iranians/Milk marketing board - could do the same, and was slapped for it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Its a fair sentence.

        First, he deprived people of their privacy.

        Second, the embarassment probably cost ATl&T money sales.

        What he did was akin to going into a post office, steaming open the mail, photo copying it, and publishing it in the New York Times.

        1. MachDiamond Silver badge

          Re: Its a fair sentence.

          Actually, AT&T deprived those people of their privacy with poor security. How he handled disclosing the hole to AT&T, if he did, before submitting the information to Gawker is not reported in enough detail for me to make any judgement on how honorable he was in that regard. I have had the experience of reporting a security issue to a large company and getting a snotty letter in return telling me to leave that sort of thing to the "professionals". I didn't take it any further which may have saved me the grief this person has had to endure.

          Members of government worldwide are not broadly educated people and many of them fear and are threatened by people with expertise outside of their knowledge. In my experience, I have found that attorneys, which most politicians are, tend to be of rather low intelligence. A glaring example is US president Obama. He was/is an expert on the US constitution but has been trying and succeeding in getting laws passed that violate provisions of the US's constitution.

          Remember what happened to Kevin Mitnick. When Kevin was in court a prosecutor told the judge that Kevin could launch a nuclear missile from a touch tone phone. Kevin laughed since the idea was completely absurd and that prompted the judge to have him placed in solitary confinement where he was not allowed anywhere near a telephone. Kevin scared the c**p out of the government and police forces since he was able to hack their phones and stay a step ahead of them for a long period of time. This was against the police's belief that their cell phones were hack-proof as they had been told.

          If you scare the police or a government or a large corporation that owns a piece of a government, they will come to get you and make you disappear.

        2. JEDIDIAH
          Linux

          Re: Its a fair sentence.

          He didn't deprive anyone of anything. AT&T did. He merely pointed out that AT&T was doing the equivalent of sending around customer's personal details on postcards.

          What he did deprive people of was their false sense of security.

          He poked his head through your unlocked front door and told you you forgot to lock it.

          AT&T was perpetrating the real harm here and they're the ones who's heads should be on the block. They should be looking at a 7 or 8 figure tort judgement right about now.

    2. Thorne

      Re: Its a fair sentence.

      "If you steal from an unlocked home it is still burglary. It you steal a car that has the keys in the ignition it is still car theft."

      Lets use the car theft example

      He saw the car with the keys in it. He knocked on the door and said "Excuse me but did you know you you left your keys in the car?"

      The owner responded with "Fuck off you snot nosed little twerp and mind your own business"

      Not happy with the reponse, he hopped in the car and did a massive burnout out the front of the house.

      As a result he's now charged with car theft and sent to jail. If the idiot car owner had listened and did something, then everything could have been avoided.

      1. Anonymous Coward
        Anonymous Coward

        Re: Its a fair sentence.

        Lets use the car theft example

        Yes, let's.

        He saw the car with the keys in it. He knocked on the door and said "Excuse me but did you know you you left your keys in the car?"

        Well done. There is no obligation for him to tell the owner, so that's a positive act.

        The owner responded with "Fuck off you snot nosed little twerp and mind your own business"

        Being less civilised is legal too. Proven on a daily basis in this very forum :/

        Not happy with the reponse, he hopped in the car and did a massive burnout out the front of the house.

        HONK HONK, to stay with the car theme. Wrong. Regardless of whatever the owner says or does or how he behaves, our intrepid adventurer had not gained permission to access/use the vehicle. The act of warning the owner beforehand actually makes things worse because it shows he knew that to be wrong. In addition, doing a burnout takes serviceable miles off the tires and can thus be considered as damage - bigger fine..

        As a result he's now charged with car theft and sent to jail. If the idiot car owner had listened and did something, then everything could have been avoided.

        Nope (pedantic question: if the car is still there, is it theft? Wasn't there some sort of minimum distance qualifier?). None of the punishment was contingent on any action or behaviour of the owner, that doesn't even come into play as far as the law is concerned.

        He could have:

        - not warned the owner and just walked on

        - just go after informing the owner, and leave the car as is

        - inform the police, the report would have caused problems for the idiot owner in case the vehicle was stolen as the insurance would see that as a good reason not to pay up

        As with the actual case, the man had legal options he chose not to take, and opted for the one action which was illegal and would cause harm, not just to the company but also to innocent 3rd parties.

    3. JEDIDIAH

      Re: Its a fair sentence.

      > It is a fair sentence. This isn't the wild west.

      You clearly have ZERO understanding of the facts of this case and the so-called "crime".

      Burglary? Grand theft auto?

      Really. You're either stupid or really dishonest.

  15. Joe Gurman

    Service and disservice

    Yes, Mr. Auernheimer did AT&T and its iThingie customers a service. No, he did not go about it in an hono[u]rable or legal way. Nor does he have the emotional maturity to realize that society, however imperfectly, protects itself against vigilantes through the the rule of law, lawyers and judges though it may involve. At some point, the self-appointed, mostly autism spectrum disorder (we no longer have Asperger's in the US) sufferers with great technical skills and little or no moral judgment or maturity will have to realize that witches and wizards get burned at the stake. Their technical skills count for nothing if they can't make a rational, mature argument for their actions, or if they don't or won't perform the moral calculus that admits, "I am not all-powerful, and I may have to pay a fairly serious penalty if I go through with this act of self-aggrandizement."

    Note to Mr. A.: Governments and their ability to use physical coercion will be around long after the Internet is as quaint as the buggy whip or corset stays. But I suspect you will realise that as soon your cellmates start making kissy faces at you.

    1. Knochen Brittle
      Thumb Down

      Another vicarious prison rapist

      enjoys a frission of government-approved pleasure as he mentally lubes-up the intended victim.

      That's a sick and twisted outlook, Gurman, and, yes, I know flaunting this condition is popular amongst those mentally crippled by the Hollywood propaganda machine.

      1. bag o' spanners

        Re: Another vicarious prison rapist

        I've had occasion to wonder why commentards are so keen to lube up by proxy as soon as a house of correction is mentioned. I'd be more concerned about gang warfare, protection rackets, psychotic warders, and instituionalised racism if I got banged up in the States. Especially if it was one of those private lockdown establishments that make Gitmo look like the soft option.

  16. This post has been deleted by its author

  17. Mike Smith
    FAIL

    No real news here...

    "sending someone down for over three years, near-bankrupting them with fines, and setting such a long probation victim looks less like justice and more like judicial spite."

    In other words, a normal, run-of-the-mill American trial and sentence.

    There's always been something vindictive and spiteful in the American justice system, and I feel sorry for the poor sods caught up in it. I'm damn glad Theresa May refused to hand Gary MacKinnon over.

    IMO, you've more chance of getting a fair trial in The Hague than in any American court these days.

  18. Anonymous Coward
    Anonymous Coward

    What a crock

    This guy wasn't a "grey-hat" he was and still is a lowlife hacker. He tried to extort AT&T. He did not try to eliminate a security hole. It's laughable at the foolishness that passes for "knowledge". Some in the media either add their own spin on the story or print the story as they want it to be told, even if untrue. He got off with a slap on the wrists.

    1. Thorne

      Re: What a crock

      If he tried to extort AT&T then he would have been charged with extortion

  19. Anonymous Coward
    Anonymous Coward

    His biggest crime?

    He embarrassed some important people.

    Back in your box/cell citizen!

    1. Anonymous Coward
      Anonymous Coward

      Re: His biggest crime?

      "He embarrassed some important people.

      Back in your box/cell citizen!"

      No one person is important. Only *your* loved ones are important, to you.

  20. Anonymous Coward
    Anonymous Coward

    Shall we keep a database of judges?

    You know the scumb that hounded Aaron. This judge. And so on. In my fatherland (Germany) nmap is illegal. At least it's very clear. Make sure you have at least an encrypted disk before entering Germany. I'm sorry our judges also seem to be idiots. Please be careful when you travel there.

    1. Anonymous Coward
      Anonymous Coward

      Re: Shall we keep a database of judges?

      WHAT? In germany nmap is illegal ???? How do you check the security of a server center you have to look after then ?

      That cannot be right

      1. Anonymous Coward
        Anonymous Coward

        Re: Shall we keep a database of judges?

        Ironically, using data in court obtained through state sponsored theft is deemed perfectly acceptable in Germany.

        Weird place.

  21. ejmfoley

    Incorporate

    The people that find these vulnerabilities always seem to be prosecuted overzealously. To them, I say incorporate. Google went around sniffing everyone's wireless networks. The way things are going, if Google were an individual, it would have gotten 25 years in prison. Instead, as a corporation, it gets a measly (for a multibillion dollar corporation) $7,000,000 fine. So pay the $100 or so fee, turn yourself into a corporation, and do it under the corporation's name. You may still get fined, but it would probably be harder to throw you in jail.

    1. Anonymous Coward
      Anonymous Coward

      Re: Incorporate

      You first need to strike a deal with your local government that you give them a copy of all the data you can get your hands on. That way they'll leave you alone, and even lobby for you abroad to legalise what you do there.

  22. Colin Wilson 2
    Headmaster

    Just one user?

    iPad user's privates? Not a big deal. Unless you meant iPad users' privates.

  23. Anonymous Coward
    Anonymous Coward

    "looks less like justice and more like judicial spite"

    Which is exactly what it is! Well done to the 'cains, way to make your brethren look stupid!.

  24. James Gosling

    Looking at the pragmatically...

    Looking at the pragmatically its sounds like all this will achieve is to turn a perhaps a little naive Grey hat hacker into a bitter Black hat hacker. When he eventually gets out of jail I don't imagine he is going to feel very public spirited and no doubt will take out his grievance upon the world either for personal gain or simply out of anger. That clearly is not an outcome in the public interest.

    1. NukEvil

      Re: Looking at the pragmatically...

      And if he does, he'll simply either be put into prison for a longer sentence, or be hounded by the courts until he finally commits suicide. Either way, he loses.

    2. Anonymous Coward
      Anonymous Coward

      Re: Looking at the pragmatically...

      Not that he's going to be able to get near a computer without someone watching, because that is *exactly* what they'll expect. And it conveniently validates putting him away the first time, so they'll do it again.

      For longer. In a less nice place. With a cell mate called Bubba. Add your own shower soap jokes.

  25. Anonymous Coward
    Anonymous Coward

    People in denial

    Those who think that hackers like this don't cause damage are technically ignorant and unqualified to even post a comment on the subject. Until you've had to resolve an enterprise hack issue, you are unlikely to understand or appreciate the complexity and complications associated with this crime. IMO with only a 41 month sentence, he is getting off far too easy.

    1. JEDIDIAH
      Linux

      Re: People in denial

      Nope. We understand just fine.

      What we understand is that a "hack" like this is so bad that anyone associated with it should put a bag over their heads and never be seen in public again. Its' a situation so bad that it calls for Puritan style public shaming complete with stocks and rotten produce.

      If you build trash that makes the rest of us look bad, don't expect any sympathy.

  26. Anonymous Coward
    Anonymous Coward

    Auernheimer the unsympathetic jerk?

    'Auernheimer’s case hasn’t elicited as much outrage or sympathy as the others have. This is likely because Auernheimer is a huge jerk. He has a long history of race-baiting and malicious trolling. “I hack, I ruin, I make piles of money. I make people afraid for their lives,”

    Auernheimer told Mattathias Schwartz in a 2008 New York Times Magazine piece about online trolling. In that same story, Auernheimer admitted to harassing a blogger named Kathy Sierra—or, as he described her in an email that also included her home address and Social Security number, “a cockholster chugged full of cum that isn't even worth giving the time of day.”'

    Andrew "Weev" Auernheimer Might Be a Jerk

  27. phil 27
    Unhappy

    Well, Im sort of torn on this one, firstly unlike a lot of the preaching types here, I've *tried* to report a flaw to a website I wasn't involved with commercially and been accused of "hacking" by a clueless sysadmin a few years back, even though I'd noticed the flaw going about my legit business, and had notified them rather than trying to exploit it further. And it was done for the guy to save face, and he was friends with their legal dept. Not a pleasant experience but not one that ended up as bad as it could have.

    That taught me a harsh lesson, unless your under specific engagement contractually to test something, never ever ever try to be open and helpful and do full disclosure anything but anonymously as your exposing yourself to risk needlessly. I had a spate of reporting things anonymously via throw away email addresses set up after multi hopping through proxies and vpn's but Ive given it up as a completely bad job now. Why risk it at all? just wait for them to get p0wn3d by some kiddies and job done at no risk for me. Its not good internet citizenship but you cant be a good citizen with the policicization of internet security going on of late.

    Secondly the actual sentence for what is in effect exposing a shitty api with no security is completely inappropriate. He didn't even have to circumvent any digital controls, which is the legal definition of hacking, just use the standard interface in the way anyone could on the public internet. If you loose that distinction I could put a webpage up with robots.txt set to deny listings by goog etc, and charge you with illegally accessing it as I dont want it public. AT&T should be in the dock for letting it go live and handle subscriber data in that state, not getting the feds to bash the finder over the head until he's out of sight.

    So given the above, why am I torn? Because weev has been a pain in the ass to the internet for years and its certainly his karma catching him up. The GNAA, last measure, 4chan, ED and other things done solely to piss in everyone elses pool. I can't think of any good thing he's been involved with. He is part of the cancer that is destroying the internet.

    Having said that, its the sick porn distributers and incomprehensible idiots we should be defending the strongest, justice shouldnt just be for the nice people on the net, so I hope the EFF etc step up to the plate regardless of his history which shouldnt come into this.

    Torn torn torn, and not posting anon for a change.

  28. Gert Leboski
    Trollface

    Nasty piece of work, that Weev.

    http://www.nytimes.com/2008/08/03/magazine/03trolls-t.html?pagewanted=all&_r=0

    Well worth a read. This is from a few years back now, but I doubt he's changed for the better.

  29. Ted Treen
    Pint

    'Internet will topple governments,' defendant proclaims...

    If only it were that simple...

  30. Henry Wertz 1 Gold badge

    Lesson learned...

    Lesson learned... if I find any hole in any AT&T product or service, I'll make sure to sell it to the highest bidder, and try to keep AT&T from finding out about it, since they will just take you to court if you actually report a flaw to them.

  31. DanceMan
    Thumb Down

    Perspective

    After reading all the comments, there's not a lot to like here. The sentence is too harsh, but the asshole (past history referenced by other commentards) brought it on himself. He's obviously been around long enough to know the protocols, and ought to know how to act (and I mean that in the theatrical sense) in court.

    But when you take a step back from this issue, and look at the banking and economic crisis, in which the execs responsible for putting the world into this mess did not even face charges, in fact were even rewarded with more excessive compensation, there is something sick about this. And especially when you think of the Aaron Swartz case. Apparently only certain types of white collar crime will attract prosecution and stiff penalties in the USA.

  32. Dave Keays

    The users were hurt and they have rights too.

    Was the punishment too harsh? Sounds like it to me but not to others. As a society we've agreed that in gray areas like this where the line hasn't been clearly drawn, to not take the law into our own hands, to abide by a judges final say, and challenge an unjust judgment within the system. If you think that system must be overturned then stand-up fight it but don't expect me to join you or cheer you because I don't think we are at that point. The value behind the system is too great to justify canning it.

    Is it wrong to give somebody a final say in gray areas of the legal system? You wish to live in a world I do not. I've been screwed with by others claiming to be doing good too often for me to care if they think it's ok.

    Was AT&T truly harmed? Well, AT&T wasn't the party harmed (except for trespassing). However, there is a good chance that many or most of the users affected did not want their email addresses shared. It is their right to say no just like it is your right to say yes. They were harmed and restitution should have been paid to them instead of AT&T.

    As an example in the real world: I don't care if a bloody nose isn't as bad as a broken spine, I'm still going to defend myself against someone who thinks they have the right to punch me in the face. The legal system is just a way to defend myself from others inside the system that want to steal personal information I don't volunarily give to the public.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019