Jail Looms For Man Who Revealed AT&T Leaked iPad User E-Mails 124
concealment sends this quote from MIT's Technology Review:
"AT&T screwed up in 2010, serving up the e-mail addresses of over 110,000 of its iPad 3G customers online for anyone to find. But Andrew Auernheimer, an online activist who pointed out AT&T's blunder to Gawker Media, which went on to publicize the breach of private information, is the one in federal court this week. Groups like the Electronic Frontier Foundation worry that should that charge succeed it will become easy to criminalize many online activities, including work by well-intentioned activists looking for leaks of private information or other online security holes. [Auernheimer's] case hasn't received much attention so far, but should he be found guilty this week it will likely become well known, fast."
He did it wrong, obviously (Score:4, Informative)
Anon pastebin is the way.
Re: (Score:1)
Then it would have made no difference. You can't test free speech and outdated computer crime laws in court under the guise of anonymity.
Who in their right mind prosecutes this? (Score:2)
Re: (Score:2)
That would only stand if staff didn't take direction from the political arm which happens to be manipulated by money from special interests.
Re: (Score:2)
When we're done killing all the messengers.
Re: (Score:3, Insightful)
Actually, no. There is no such thing as "the feds" in the USA.
There are service organizations for companies to use, which protect industry interests, but are paid by you.
An actual government would defend you against the companies, and put everyone in jail even tries to "lobby".
But hey, in the US, many people loudly yell and proclaim they want a "small government" and "free market", because they confuse that industry instrument with an actual government, and confuse freedom for companies to abuse them with f
Re: (Score:3, Insightful)
The best is, not to listen/watch any of it at all. Including websites/blogs/etc.
Says the AC posting on /.
Re: (Score:1)
Re: (Score:2)
Come now, slavish adherance to corporate interests is hardly a sole characteristic of the left. *snort*
Re:Who in their right mind prosecutes this? (Score:5, Insightful)
at&t probably pursued and lobbied for charges to be filed so THEY look like the victim here instead of the people at the other end of those 110,000+ email addresses.
Reminds Me (Score:1)
Why aren't whistleblower laws shielding him? (Score:2)
I thought there were whistle blower laws to shield people from these mishaps?
Is it because he went to the media rather than the FBI? I'm genuinely curious as the article doesn't say much except that he's a "hacker" that downloaded a bunch of public web addresses that were easily predictable.
Re: (Score:3)
AT&T wasn't breaking the law, whistleblower statutes do not apply.
Re:Why aren't whistleblower laws shielding him? (Score:4, Insightful)
AT&T wasn't breaking the law, whistleblower statutes do not apply.
It must have. From TFA:
One alleges that by being in possession of the e-mails from AT&Tâ(TM)s leaky system he handled 'identification information' in breach of a law intended to protect against identity theft,
I am certain that laws protecting us against identity fraud mandate that the "identification information" is shielded from theft. AT&T has clearly failed to protect the information.
Re: (Score:2)
Kind of messed up if you think about it; whistleblower laws only protect you if they were breaking the law, which means if they aren't convicted because of their highly paid legal team any whistleblower becomes fair game and totally screwed by said highly paid legal team. That law
Re: (Score:3)
A whistleblower is someone who tells the world about a problem that can't be resolved other than by publicizing it. A whistleblower isn't someone who exploits a vulnerability 110,000 times and publishes the private information gained by exploiting it. That is not legitimate white-hat whistleblowing. This is a person who leaked personal data, not a person who reported a leak.
Re: (Score:1)
Because the laws are usually to cover employees from receiving reprisal from their employers whether private companies or the government.
114 thousand times! (Score:1)
Robin In The Hood (Score:2)
like the Electronic Frontier Foundation worry that should that charge succeed it will become easy to criminalize many online activities, including work by well-intentioned activists looking for leaks of private information or other online security holes.
The road to hell and all that.
It's time for the geek to grow up and discover that life hasn't dealt him a Get Out Of Jail Free card,
Re: (Score:3)
We should push for activists to be interned as thinktivists for a minimum of 4 years before engaging in any activity in support of a " cause".
The prerequisite would demand a cause be examined from points of view other than the "cause" focused individuals involving themselves. This would enable a well rounded person to find solutions beneficial to all while bringing their goal to fruition. This new, well rounded "thinktivist" would then be allowed to replace the ineffective, greasy, dead head wannabees curre
Prosecutors, these days.... (Score:5, Interesting)
seem to be having increasing difficulty distinguishing the letter of the law versus the spirit of the law. Anything to add yet another successful prosecution to their resume with no concern as to the effects on others or the betterment of society.
Re: (Score:2)
Are you kidding me, that is WAY down the list
Above it are things like:
Can I get a conviction? This is pretty much the only performance metric for prosecutors. This includes taking into account how good a defense the accused can afford.
Am I ordered to prosecute by my superior? Will I be fired if I refuse?
Is there pressure from any groups to prosecute, just to harass the accused, even if the prosecution will fail, so in the future the group will help me [for example, the police force]?
The 'for the love of
Re:Prosecutors, these days.... (Score:4, Interesting)
Would you be saying something different if someone found a warehouse door open and reported it on a scrounger web site before they reported it to the owner of the warehouse? Data has value just like merchandise. The issue is not what they did but the way they did it. A true White Hat hacker would have told the company first and given them a chance to fix it before publicizing it.
Re:Prosecutors, these days.... (Score:4, Informative)
Would you be saying something different if someone found a warehouse door open and reported it on a scrounger web site before they reported it to the owner of the warehouse?
Neither of his charges is about publicizing the the info. I could probably get on board with that
It seems that his charges are:
1. "by being in possession of the e-mails from AT&Tâ(TM)s leaky system he handled 'identification information'"
2. "case is based on the Computer Fraud and Abuse Act, which forbids 'unauthorized access' to a computer." (definitely the equivalent of being charged for trespassing)
Show me which charge involves disseminating information on a scrounger website? Up to 5 years for trespassing in an open warehouse seems ridiculous (each charge carries up to 5 years)
If he is guilty of publishing the info - let's see a law that charges him with disseminating "identification information". But trying to make marginally related things stick is very, very dangerous.
Re: (Score:3)
Show me which charge involves disseminating information on a scrounger website? Up to 5 years for trespassing in an open warehouse seems ridiculous (each charge carries up to 5 years)
How about burglary (1-20 years depending on state) and possession of stolen property (up to 10 years in Washington State) would be the similar charge. They could not disseminate the information if they did not have it. They didn't just trespass, they copied the information and took it away. The charge is not about disseminating the information it has to do the possession of the information. Had they not stored the addresses the problem would have been a lot less severe.
Re: (Score:2)
How about burglary (1-20 years depending on state) and possession of stolen property (up to 10 years in Washington State) would be the similar charge.
Interesting point on possession of stolen property... Possession of copies of stolen property?
But -- can you get charged with burglary if the door was open?
Re: (Score:2)
Burglary [wikipedia.org] is the illegal entry into a building for the purposes of committing a crime, in this case the illegal copying of data, and need not include circumvention of security. They were not authorized to access the private server therefore the act was illegal. Locks are there to make crime more difficult; not to define what a crime is.
Re: (Score:2)
I don't think he "stole" the email addresses. AFAIK, they are still in ATT hands. No theft, no possession of stolen property. No burglary.
He copied stuff that was on a public web site. ATT probably didn't intend to make it publicly available, but that should be their problem, not his.
Re: (Score:2)
This is where the modern age of data does not jive with the laws dealing with material goods.
You are also confusing the analogy with the real life incident. The analogy refers to "theft" but the charges refer to "unauthorized access" and "illegal possession". Analogies are never perfect. The point is that the hacker was never authorizes to access or copy the information.
It was also much different than being on a public web site. The hacker didn't just click on a link and have the data appear. He had to send
Re: (Score:2)
Tough luck if you click a malformed link and get the wrong thing back from a server, you're going to jail.
*of the cracking type
Re: (Score:2)
If you click on the same link over 300000 times, record the results and publish them then yes you should go to jail. Once, probably not. In every law there is an intent clause. Clicking once could be an accident. Clicking 300,000 time shows intent. By the way, the mal-formed URL is the issue of the person who wrote the URL and maybe not the issue of the person who clicked on it. In this case the accused created a script to send hundreds of thousands of requests to the server. There was definite intent there
Re: (Score:2)
Weev and a fellow hacker who originally uncovered AT&T’s mistake and collected the e-mails didn’t ask the company for permission to access the Web addresses that shared iPad users’ private information. But those Web addresses weren’t hidden behind password prompts or any kind of protection – they were publicly accessible.
Which looks like the equivalent of "trespassing". Kind of like entering an empty lot, that has no fences or signs, that is next to a public park.
It means if you click on a random link you find, you could be arrested.
Re: (Score:2)
Please read all the posts before responding. He did not click on a random link. He crafted a specific URL with possible phone IDs and sent them to the server. He deliberately was looking for the information. Most requests were securely locked down but he found one that was not. It is much closer to going around a building looking for an unlocked door. The difference between trespassing and burglary is that trespassing is mere presence while burglary requires intent to do a criminal act while on the property
Re: (Score:3)
Prosecutors, these days seem to be having increasing difficulty distinguishing the letter of the law versus the spirit of the law.
The prosecutor has some discretion.
But there are limits.
He needs convincing and he tends to become cynical.
He has heard it all before.
The "spirit of the law" has to amount to something more --- much more, I afraid --- then the geek's self-serving plea that one of his own kind doesn't deserve to go to jail.
____
The geek is the quintessential outsider.
He ought to have learned by now not to rely on the kindness of strangers.
Re: (Score:1)
One thinks there must be more, some extortion or plan to misuse the info, that we aren't hearing about.
On the other hand, these are the same people who try to get teens who send cell phone nude shots to each other registered as lifelong sex offenders who produced and distributed child pornography.
Wrecking lives for a notch on the belt. So proud. Elect me!
Re: (Score:2)
How about reporting it to the place that can fix it rather than to the public that can exploit it? Oh yeah, one does not have to do it millions of times to prove there is an issue. The script probably sent millions of requests to get the 110,000 valid responses.
Re: (Score:2)
Because many times the company will just bury the problem instead of fixing it (not to mention persecute you anyway).
Re: (Score:2)
Give them time to try fixing it. If they don't fix it and publicize it then go to the press. The right way is to give the company a chance to fix the problem.
It is difficult to bury a data security breach if it is in the courts.
Re: (Score:2)
If you report it to the owner they have this habit of either threatening to sue you unless you keep it quiet.
Re: (Score:2)
Maybe maybe not. All web site owners do not react in the same way. Even if they did threaten a law suit they would have to prove it was you who told the press. If the site didn't fix the issue and go public with the problem then go to the press. Projecting what might happen and reacting to a possibility is just wrong.
Re: (Score:1)
Don't think the GP is refering to every site just the big ones, I'd put the criteria at those large enough to have a legal department...
Re: (Score:2)
It does not matter how big the legal department is if they can not prove anything in court.
Weev is not an online activist. (Score:5, Informative)
Weev is a troll [encyclopediadramatica.se]. He's better known to /. as one of the "president" of the GNAA [wikipedia.org]. An all around unpleasant fellow.
The unfortunate thing about this case is that Weev didn't actually do anything wrong here. AT&T published the email addresses, it should be AT&T facing prison time.
Re:Weev is not an online activist. (Score:5, Insightful)
He did do something wrong here. Whatever his intentions, he was poking around AT&T's web server in a way he knew he shouldn't have been. Just because AT&T was wrong doesn't make him right. As an analogy, I often leave my car unlocked. If you take it, you're still a car thief, even if I should have taken better care of my car. In any event, you don't have to harvest 114k emails to demonstrate a problem.1 or 2 is adequate proof that there's a problem.
Re:Weev is not an online activist. (Score:4, Insightful)
Better analogy is if you left confidential info clearly visible and readable in your car, and someone came along and saw it through the window, then told a nearby reporter about it, etc.
This guy didn't steal AT&T, after all.
Unfortunately, the car's owner is politically connected and his prosecutor buddy brings charges against you to cover up the owner's embarrassing blunder.
Re:Weev is not an online activist. (Score:4, Interesting)
Even better analogy;
1.Leave confidential material in a folder in an unlocked room.(create an mechanism on the server to access info without proper security)
2. Someone come along and search the room (make semi-random requests to the server)
3. Copy the information in the folder (record the server responses)
4. Publish where the room is, where the folder is and the contents of the folder. (put the server name, request format and received data out on the internet)
A true White had would have told the company before publishing the breach and they would not have tried hundreds of thousands of requests. Just because there is not a lock on the door does not mean one can rummage through the room, copy the information and publish it.
Re: (Score:1)
Re: (Score:2)
Then one is obliged to ask a store clerk if it is ok to go into the room. If someone went in that room and stole merchandise it would still be burglary.
Re: (Score:2)
The problem with your analogy is that a public-facing web server is assumed to have public-facing information. Trying zillions of queries is a normal way to get the data you want out of the server in a format you want, like trying to convince Netflix to give you the views you used to be able to click to. (As an aside, appending &vt=tl to many URLs gives you the old list view...) There's a big difference between checking doors and checking URLs.
I can agree, however, that he should have told the company a
Re: (Score:2)
In every request he sent was the ID of a phone that he did not own. He specifically asked for information that he knew he had no right to. Also the URL he hit was not published and he had never used it before. He was not trying to get what he used to get but he was trying to get information he knew that was illegal to have. That he got it through an unlocked door make no difference.
Re: (Score:1)
Better analogy is if you left confidential info clearly visible and readable in your car, and someone came along and saw it through the window, got out a cell phone and photographed the page, then turned the page and photographed the next page, over 100 thousand times, then told a nearby reporter about it, etc.
You left out an important part, because intent matters. If they'd seen one or two e-mails and reported it, fine. Instead they put in a huge effort to create a database of such e-mails. Can anyone here honestly say that was done in good faith? Somewhere after collecting the first dozen, hundred, or maybe thousand e-mails they cross the line.
Re: (Score:2)
Better analogy is if you left confidential info clearly visible and readable in your car, and someone came along and saw it through the window, then told a nearby reporter about it, etc.
An even better analogy: you left confidential info *about me* clearly visible and readable in your car. I had trusted you to keep it secure and I had not noticed that you were failing to do that. He saw it, and let me know in the only way he could.
I really can't understand all those "hacking victim" apologists (note the quotes). Currently it is illegal for me to accidentally discover that my bank/phone company/isp is leaking my information or allowing transactions in my name. Without that knowledge, I can
Re:Weev is not an online activist. (Score:5, Insightful)
The car analogy doesn't work here, as a website is inherently a publicly offered service, whereas your car is not. There really isn't a good analogy for this situation, as it doesn't really require an analogy in the first place.
AT&T put private information on their public website. Mistake or not, their actions made the information public, not the defendant in this case.
AT&T is obviously to blame here.
Re: (Score:2)
Re: (Score:2)
Whatever his intentions, he was poking around AT&T's web server in a way he knew he shouldn't have been.
the parallel of above is that the someone was looking at the cars parked in a private area. the valet company sells the idea that no one can do that (look at your car when it is parked with them) but then puts your car on the street.
Re: (Score:2)
The information was being served by AT&T's servers without any sort of authentication required. The car analogy isn't a very good one. This is more like an entrance in a commercial building, parts of which are open to the public. When you go to a store, you expect to be able to walk into doors that are open to you, provided they're not marked "employees only" or something like that. If you walk into an open side door, discover it doesn't lead to the sales floor, then tell the store manager about it so t
Re: (Score:1)
Re: (Score:2)
Have you used the world wide web lately? Let me give you a hint. At the moment, I'm looking at the URL bar of my browser. The URL in it right now is being displayed without the http:// it just starts with slashdot.org. After the slashdot.org, it's followed with comments.pl which is the name of a script and after that, by a question mark, then by a list of arguments and values separated by ampersands. The same sort of thing is true of many pages people visit. Even when the URL looks like a normal, non-script
Re: (Score:2)
Nope. Although I wasn't exactly using that event as a direct analogy to the events in the article, just a related anecdote. If we want to use it as an analogy, we have to decide what particular thing is analogous to the downloading of a page. If it's entering the bathroom, using the toilet, flushing, washing and drying my hands, then leaving, then it's one versus 14,000. On the other hand, disgusting as a it may be, we could also count individual droplets or even molecules/ions of water, urea, salt, etc. si
Re: (Score:2)
But taking your car would have deprived you of it. If you left the doors unlocked and i came by opened up and just took pictures of everything in your car without damaging or taking anything (but copying what i find) then I've taken nothing of yours, it isn't theft, and i have not broken and entered in any way.
Trying to use a physical theft as an analogy for digital works doesn't work because they are not the same.
Re: (Score:3)
As an analogy, I often leave my car unlocked.
That analogy is so bad, it's dishonest. Your car is not a publically accessible communication system. AT&T's website is. Do you really think they're comparable? Seriously, shame on you.
Paul J. Fishman (Score:3, Informative)
I know little of the case, but it looks like this case is being brought by Paul J. Fishman, the U.S. District Attorney for New Jersey. According to Wikipedia (it's always correct), he used to work for Friedman Kaplan Seiler & Adelman. A firm that represented the Communication Workers of America. Not surprisingly, the CWA regularly deals with AT&T.
Mr. Fishman was appointed by President Obama in 2009. If you don't like his actions, contact the Whitehouse and your representatives and let them know. Not that it'll matter, but maybe it'll make you feel better.
Or if you'd prefer, you can always contact his office directly for more information on the case: http://www.justice.gov/usao/nj/contact.html [justice.gov] . Though, again, not that'll it matter.
Re: (Score:2)
If you don't like [...], contact the Whitehouse and your representatives and let them know. Not that it'll matter, but maybe it'll make you feel better.
And that is the most accurate and succinct summary of our(*) representative democracy that I have ever seen.
(*) I'm not from US but the situation in Canada isn't any better.
Re: (Score:2)
So what? (Score:3)
According to Wikipedia (it's always correct), he used to work for Friedman Kaplan Seiler & Adelman. A firm that represented the Communication Workers of America. Not surprisingly, the CWA regularly deals with AT&T.
I would like to meet the man or woman with a senior position in law, finance, tech or government who at one time or another hasn't been friend or foe and often both to AT&T.
Hereabouts, you'll find them mighty thin on the ground.
AT&T Inc. is an American multinational telecommunications corporation headquartered in Whitacre Tower, downtown Dallas, Texas. AT&T is the largest provider both of mobile telephony and of fixed telephony in the United States, and also provides broadband subscription television services. As of 2010, AT&T is the seventh largest company in the United States by total revenue, and the fourth largest non-oil company (behind Walmart, General Electric, and Bank of America). It is the third-largest company in Texas (the largest non-oil company, behind only ExxonMobil and ConocoPhillips, and also the largest Dallas company). As of 2011, AT&T is the 14th largest company in the world by market value, and the 9th largest non-oil company. It is also the 20th largest mobile telecom operator in the world, with over 100.7 million mobile customers.
AT&T [wikipedia.org]
Wrong move (Score:1)
If he would have done the right thing and sold the information to Chinese hackers they would have given him a little cash and no one would be getting sued.
Re: (Score:1)
You first, General.
Something doesn't make sense to me... (Score:1)
According to the article attached to the summary, the way Weev accessed this information was typing in publicly accessible URLs. If that's the case, how in the world can he possibly be prosecuted for accessing a public website?
Something seems to be missing here. I'm guessing there's more to this story than what is written in the article.
if you saw an open bank vault (Score:2, Interesting)
Re: (Score:2)
if you saw an open bank vault ... do you help yourself, tell the bank, or shout about it from the rooftops? Andrew Auernheimer shouted from the rooftops and deserves punishment.
1. Up to 10 years total seems a tad high, since we are talking about emails, not a bank
2. He is being charged with "handling private data" and "unauthorized access" to a computer. Tell me which one of these charges is equivalent to the "shouting from the rooftops".
If only his case involved charges such as "disseminating private information" or "promoting identity theft", but neither one of them looks like that.
If the bank is shoveling money into the street... (Score:2)
...is your analogy still stupid?
Re: (Score:1)
do you help yourself, tell the bank, or shout about it from the rooftops?
Out of curiosity, if somebody was shouting about it from the rooftops; what's the law he would be breaking in that case?
Re: (Score:2)
Going to have to disagree, you can talk about anything you see in normally. If you opened the bank vault door first then yell its open, then you are guilty.
This guy reported a hack he found poking around, that's a crime. If he reported a hack he found while doing normal transaction, then its not a crime. I think its pretty easy to tell the difference.. Buffer overflows and exploits are not normal transactions. This is what makes the difference between white and black hat hackers. White hat doesn't perf
Bank? Library. (Score:2)
It is hard to maker a good analogy and I find most of those posted far off the track.
I see it differently: imagine a library. You know, books, of the paper variety. A lot of them, all available for public use.
Somehow careless library management put in there their finance book. Someone found it and picked up for rental. Person at the checkout out did not object.
It is negligence of the people who let the financial info get in the library, not the one who rented it.
Former head of the GNAA (Score:2)
I wonder how many of his defenders on Slashdot realize that this is Weev, the former president of the GNAA?
Still, I'm impressed with Slashdot's integrity, for once. After ten years of crapflooding and trolling by the GNAA, I would have thought that Slashdot would be a bit more antagonistic toward him.
For those who didn't RTFA: (Score:1)
1) Violating an identity theft law by "being in possession of the e-mails." With no evidence that he planned to misuse the information.
2) Violating the Computer Fraud and Abuse act via "unauthorized access to a computer". Even though the information was publicly available on AT&T's website (not behind any kind of protection, not even a password).
I almost hope he's convicted on the latter charge; the publicity that will generate may lead to sane revision of these laws.
Re: (Score:1)
"With no evidence that he planned to misuse the information."
IRC logs clearly showed weev planned to misuse the information. It even included him talking about using the breach to manipulate AT&T stock...
This indictment includes the IRC log excepts: http://www.scribd.com/doc/113664772/46-Indictment
Jury Nullification. (Score:2)
Please, make sure the Jury knows about Jury Nullification. They can still declare him not guilty even if he technically broke the law. Juries are your protection against bad laws. Let them know it.
IMarv
Re: (Score:2)
paladium.net (Score:1)
Here's who he screwed up .... (Score:2)
Americans are thoroughly idiotized today --- the vast majority are still to eff-tard stupid to understand we live in a corporate fascist state, and that it is by purposeful design that Americans are completely ignorant of the ownership of those ruling corporations (especially the banksters, oil companies, pharmaceuticals and weapons makers, etc.).
Exactly why they
"Easy to Criminalize Many Online Activities..." (Score:1)
That is the point of this endeavour.