×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

'weev' Conviction Vacated

Soulskill posted about 8 months ago | from the finally-drew-the-get-out-of-jail-free-card dept.

The Courts 148

An anonymous reader writes "A few years back, Andrew 'weev' Auernheimer went public with a security vulnerability that made the personal information of 140,000 iPad owners available on AT&T's website. He was later sentenced to 41 months in prison for violating the Computer Fraud and Abuse Act (or because the government didn't understand his actions, depending on your viewpoint). Now, the Third U.S. District Court of Appeals has vacated weev's conviction. Oddly, the reason for the ruling was not based on the merits of the case, but on the venue in which he was tried (PDF). From the ruling: 'Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country's founding: venue. The proper place of colonial trials was so important to the founding generation that it was listed as a grievance in the Declaration of Independence.'"

Sorry! There are no comments related to the filter you selected.

To the point... (5, Informative)

msauve (701917) | about 8 months ago | (#46726913)

Spitler was in San Francisco, California and Auernheimer was in Fayetteville, Arkansas. The servers that they accessed were physically located in Dallas, Texas and Atlanta, Georgia. Although no evidence was presented regarding the location of the Gawker reporter, it is undisputed that he was not in New Jersey.

He was indicted and tried in NJ, despite none of the involved parties being located there.

Re:To the point... (0, Insightful)

Anonymous Coward | about 8 months ago | (#46726947)

I don't think that is 100% accurate. I'm sure some of the 116,067 emails that were exposed by him are residents from NJ.

Re:To the point... (2)

msauve (701917) | about 8 months ago | (#46727079)

How can an AC be expected to actually read the ruling they're commenting on, which specifically addresses his complaint?

There was no evidence at trial that Auernheimerâ(TM)s actions evinced any contact with New Jersey, much less contact that was âoesubstantial.â The Government has not cited, and we have not found, any case where the locus of the effects, standing by itself, was sufficient to confer constitutionally sound venue./blockquote)

Re:To the point... (1)

parkinglot777 (2563877) | about 8 months ago | (#46727231)

Hmm.. I found this one on TFA... I guess it does not matter whether any emails belong to NJ people but rather focus on the effect on NJ people.

The government argued that New Jersey was proper because 4,500 e-mail addresses were obtained from residents there. The authorities claimed that even if the venue was improper, is should be disregarded because it did "not affect substantial rights."

Re:To the point... (1)

ZombieBraintrust (1685608) | about 8 months ago | (#46727167)

Doesn't matter. If I rob someone in Alaska who happens to own a house in New York the crime still occurred in Alaska. These people had assets in CA. If they want the protection of NJ law they should keep their assets in NJ.

Re:To the point... (1)

American Patent Guy (653432) | about 8 months ago | (#46727377)

The decision explains: venue attaches to the location where the criminal acts were *committed*, not where the alleged victims resided.

Re:To the point... (1)

MouseTheLuckyDog (2752443) | about 8 months ago | (#46728003)

Incorrect they found that the only venues for a crime are locations where essential elements occur. In the case of the parts of the CFAA violated that would either be the location of the hacker at the time of the hacking, or the location of the hacked machine at the time of the hacking.

Re:To the point... (2)

American Patent Guy (653432) | about 8 months ago | (#46728203)

Well, I was trying to keep it simple, but I don't think this Court of Appeals would agree with you. There is a significant discussion beginning at the bottom of page 14 that addresses, for example, whether the "locus of the effect of the criminal conduct" can confer venue. All this Court decided is that where there was no contact with the prosecutor's chosen venue (New Jersey) other than the alleged victims were located there, that venue was improper. The question of whether the site of the servers improperly accessed could confer venue has not yet been decided.

Re:To the point... (4, Informative)

NatasRevol (731260) | about 8 months ago | (#46727531)

Actually AT&T exposed the emails.

Re:To the point... (5, Informative)

Shakrai (717556) | about 8 months ago | (#46727679)

Actually AT&T exposed the emails.

After weev modified his user-agent to pass his browser off as an iPad, then wrote a script to throw millions of different ICC-ID codes at AT&T's servers, thereby tricking them into thinking that he was the AT&T customers whose e-mails were exposed.

AT&T's "security" measures were woefully inadequate, but that doesn't change the fact that calculated and deliberate actions were required to obtain access to information that Mr. Auernheimer and Mr. Spitler knew they had no right to access. They both had the guilty mind (mens rea) required under our legal tradition to sustain a criminal conviction, breaking both the letter and the spirit of the law.

Re:To the point... (4, Informative)

NatasRevol (731260) | about 8 months ago | (#46727751)

'deliberate actions' don't meet the definition of illegal behavior though.

They had to be 'accessed without authorization'. Sending different ICC-ID codes is NOT authorization. It's just a query. There was no actual authorization in place, and thus NO ACTUAL LAW WAS BROKEN.

Re:To the point... (3, Interesting)

Shakrai (717556) | about 8 months ago | (#46727877)

You're seriously going to argue that even though he had to take deliberate steps to impersonate other people he wasn't accessing information "without authorization"? That's what this boils down to at the end of the day, he tricked AT&T's web servers into thinking he was an AT&T customer, and in so doing obtained access to information about that customer. Then he wrote a script to automate the process and repeated it ~140,000 times.

I really don't understand why people defend this kid's actions. The Federal prosecution was bullshit, this should have been charged at the State level, but to claim that he's completely innocent when he went out of his way to obtain access to information he knew he had no right to access? That's absurd.

Re:To the point... (4, Interesting)

NatasRevol (731260) | about 8 months ago | (#46727965)

Well, not me, but the appeals court certainly did.
This paragraphy is on page 10 of the ruling:

The charged portion of the CFAA provides that
“[w]hoever . . . intentionally accesses a computer without
authorization or exceeds authorized access, and thereby
obtains . . . information from any protected computer . . . shall
be punished as provided in subsection (c) of this section.” 18
U.S.C. 1030(a)(2)(C). To be found guilty, the Government
must prove that the defendant (1) intentionally (2) access
edwithout authorization (or exceeded authorized access to) a
(3)protected computer and(4) thereby obtained information

Then his paragraph is on page 12 of the ruling:

Because neither Auernheimer nor his co-conspirator
Spitler performed any “essential conduct element” of the
underlying CFAA violation or any overt act in furtherance of
the conspiracy in New Jersey, venue was improper on count
one.

I guess you're smarter than them.

Also, if passing a phone identifier to a query of a web server could access all this information, is that really a 'protected computer'? I'd say no.

Re:To the point... (3, Insightful)

Shakrai (717556) | about 8 months ago | (#46728131)

Venue was improper. That doesn't mean he isn't guilty, it just means the Federal Government was inept (shocker, I know) and has managed to turn a common criminal into a martyr because they were too stubborn to simply turn this matter over to the authorities in his home state. I suspect the Feds will just prosecute him again in his home Federal District, wherein he will be convicted, though if they were smart they'd let the State authorities handle this matter. AR has a non-controversial computer trespass law that would cover his actions here.

Also, if passing a phone identifier to a query of a web server could access all this information, is that really a 'protected computer'? I'd say no.

And you'd be wrong. You're looking at this from the geek perspective, rather than the legal perspective. Google the reasonable person standard and mens rea, those are two of the most important building blocks of our legal system. Bottom line: He knowingly accessed information that a reasonable person would have known they weren't entitled to access. He did so by tricking AT&T's servers into thinking he was someone other than himself. The icing on the cake were his own words entered into evidence, wherein he admitted that he knew he wasn't entitled to access the information.

Don't take my word for any of this, go read the body of evidence against him. It's all publicly accessible via PACER [pacer.gov] .

Re:To the point... (0)

NatasRevol (731260) | about 8 months ago | (#46728215)

neither Auernheimer nor his co-conspirator
Spitler performed any “essential conduct element” of the
underlying CFAA violation

If that's not a 'not guilty' by a court that's not passing actual judgement, I don't know what is.

He did so by tricking AT&T's servers into thinking he was someone other than himself.

That doesn't mean UNauthorized.

he knew he wasn't entitled to access the information.

And yet there's no legal requirement for 'entitlement'. Just unauthorized access.

Again, there was no authorization process in AT&T's system, so he could NOT have accessed without authorization. AT&T's systems were set up with explicit full authorization in place. Everybody can access everything. Just enter the code.

Re:To the point... (-1)

Anonymous Coward | about 8 months ago | (#46728299)

If I don't lock my door, you're still breaking & entering if you walk up, turn the doorknob, and walk into my home.

That you CAN do something does not mean you are AUTHORIZED to do it. In fact, the fact that someone put any sort of "authorization" system in place in front of the data to begin with strongly suggests that you MUST be authorized to access the data, regardless of whether or not you actually CAN by exploiting a weakness in the authorization scheme.

I CAN surprise buttsecks you - that doesn't mean I'm authorized to do it. Authorization is not based on the sole criteria of, "are you strong enough / smart enough to prevent it."

Don't be a pedantic twat - the law doesn't work that way, despite your obvious asperger's.

Re:To the point... (0, Troll)

NatasRevol (731260) | about 8 months ago | (#46728363)

Except that the law *requires* authorization be broken.

If your door is unlocked AND open, it's not B&E.

Uh, yeah, the law works perfectly pedantically. Sorry for your obvious ignorance.

Re:To the point... (1)

Anonymous Coward | about 8 months ago | (#46728119)

You're seriously going to argue that even though he had to take deliberate steps to impersonate other people he wasn't accessing information "without authorization"?

No. But I am going to seriously argue that the server returning the information implies authorization.

And don't give us that "unlocked door" bullshit analogy. This is more like a crazy ex whom I forgot still has access to my house holding a garage sale while I'm out of town. It might be embarrassing to me that such a silly mistake on my part has harmed me so greatly, but that doesn't give me justification to go after the people that my crazy ex sold my stuff to. I go after the crazy ex. The fact that the crazy ex is a computer instead of a person should change nothing.

Re:To the point... (1)

hazem (472289) | about 8 months ago | (#46728303)

The meat-space equivalent is something like reporter (who is not Bob's wife) calling a bar and saying, "I'm Bob's wife, is Bob there?"

That's unethical maybe, but not illegal. Why should it be illegal just because that's done electronically?

Re:To the point... (2)

Shakrai (717556) | about 8 months ago | (#46728389)

The meat-space equivalent is something like reporter (who is not Bob's wife) calling a bar and saying, "I'm Bob's wife, is Bob there?"

A better analogy would be calling AT&T and saying "I'm Bob, can you tell me when my bill is due?" You've impersonated Bob and used it to obtain access to personally identifiable information [wikipedia.org] , you'd be guilty of a number of different crimes in such a circumstance.

Re:To the point... (2)

GPS Pilot (3683) | about 8 months ago | (#46727879)

The proper place of colonial trials was so important to the founding generation that it was listed as a grievance in the Declaration of Independence.

weev is fortunate that, for once, a court gives a damn about what was important to the founding generation.

sad day for those who don't like 4chan trolls (0)

Anonymous Coward | about 8 months ago | (#46726917)

his conviction was BS but he was a blight on the internet

Re:sad day for those who don't like 4chan trolls (4, Insightful)

bmajik (96670) | about 8 months ago | (#46726939)

Not liking someone isn't a good enough reason to put them in jail.

Usually. For now.

Re:sad day for those who don't like 4chan trolls (5, Funny)

roc97007 (608802) | about 8 months ago | (#46727045)

From a practical standpoint, it depends on who doesn't like him.

Re:sad day for those who don't like 4chan trolls (1, Interesting)

Jeff Flanagan (2981883) | about 8 months ago | (#46727363)

Not liking someone isn't a good enough reason to put them in jail.

Then why are people in jail for smoking pot, or being in the wrong location while black?
People go to jail all the time just because some idiot with power didn't like them.

Re:sad day for those who don't like 4chan trolls (2)

mmell (832646) | about 8 months ago | (#46727549)

Not liking someone isn't a good enough reason to put them in jail.

He didn't say it never happens. He said it isn't a good enough reason for it to happen.

Re:sad day for those who don't like 4chan trolls (1)

GodInHell (258915) | about 8 months ago | (#46728139)

Then why are people in jail for smoking pot, or being in the wrong location while black?

Wait -- back up. You know that one of those two things is actually on-the-books against the law and the other is not, right? I hope. Please?

Re:sad day for those who don't like 4chan trolls (2, Insightful)

Shakrai (717556) | about 8 months ago | (#46727387)

Not liking someone isn't a good enough reason to put them in jail.

He deserved to go to jail. Read the body of evidence against him. This wasn't a simple exposure of a security flaw in AT&T's website. He took deliberate actions to maximize the collection of information, bypassed security measures to obtain said information (that the security measures were woefully inadequate is beside the point, deliberate actions were required to bypass them), and discussed ways to use the obtained information for personal profit with his co-conspirator.

None of that is to suggest that I agree with dragging him halfway across the country, or even with the Feds getting involved in the first place. His home state (Arkansas) has a computer trespass statute that would have been sufficient to prosecute him under, or the Feds could have at least tried him in his own district. I suspect that the former is what may happen now, since double jeopardy won't apply to a State level prosecution, and if it shakes out fairly he'll get credit for the time served in Federal prison without additional jail/prison time being imposed. First time offender and a non-violent crime after all...

Re:sad day for those who don't like 4chan trolls (3, Informative)

bzipitidoo (647217) | about 8 months ago | (#46728403)

that the security measures were woefully inadequate is beside the point

On the contrary, we cannot have the law being abused to take the place of security. Too many people would fake the security and rely on the law to make it work. Too many are already doing exactly that. It's a costly and unreasonable burden upon the public. Pay for your own security. That includes designing a reasonable system, implementing it properly so that actually works, and performing tests and audits. Just because perfection is hard is no reason to excuse sloppy security work. DRM, for instance, fails the reasonability requirement. We have had our publicly funded police forces and courts misused to confiscate prescription drugs, improperly demand license fees from users rather than producers (SCO scared and bullied a few users into paying for a license to use Linux), and of course conduct a massive campaign to hold back technology in the name of stopping piracy. ISPs are pretty well free of being burdened with requirements to keep years and years of logs, for fishing expeditions, but there is still danger it could become the law.

It is also better not have doubt about whether some security effort was meant to be real but was bungled, or was indeed faked and, after being breached, is claimed to have been a real effort all along and therefore the breaches are worthy of prosecution. This is especially true on a system that is not experimental, but is instead an implementation of well known, effective methods. AT&T wasn't doing anything new, no, they just plain blew it. Saves us all a lot of time and money arguing over a pointless aside.

We even have cases of security law being gamed. We don't need someone setting up a honey pot to snare particular victims, then running to the law to complain that mean, bad people broke in, ask that the seeming perpetrators be thrown in prison, and kick back and watch as the full paranoia and wrath of the law is released upon their enemies.

Owners should install working locks on their doors and use them, not demand that the government spend enough money, no matter how much, to watch every door all the time because they can't be bothered to spend the trivial amount of money needed to have a working lock.

Re:sad day for those who don't like 4chan trolls (1)

RyuuzakiTetsuya (195424) | about 8 months ago | (#46727723)

yet doxxing someone and starting a campaign of threats isn't?

Re:sad day for those who don't like 4chan trolls (1)

GodInHell (258915) | about 8 months ago | (#46728129)

Sounds like you probably aren't from the southern U.S.

Or in legal parlance (4, Funny)

korbulon (2792438) | about 8 months ago | (#46726977)

They invoked the writ of Copus Outus.

Re:Or in legal parlance (5, Informative)

krlynch (158571) | about 8 months ago | (#46727007)

Which is more officially the Doctrine of Constitutional Avoidance: http://en.wikipedia.org/wiki/C... [wikipedia.org]

Re:Or in legal parlance (2)

SailorSpork (1080153) | about 8 months ago | (#46727101)

Yeah, "Don't Make New Laws Unless You Have To" looks like copping out, but is actually something I completely support. When new laws are made, it usually just makes things more complicated, may create unintended/unforeseen consequences, and so forth.

Re:Or in legal parlance (1)

davecb (6526) | about 8 months ago | (#46727295)

Yup: excessive enthusiasm and pilpul don't make a good mixture.

--dave
[Hmmn, I'm thinking red/green/refactor may be something legal draftsmen may want to investigate. The conviction was RED, this is GREEN, a good case before a superior court would be the REFACTOR]

Re:Or in legal parlance (0)

Anonymous Coward | about 8 months ago | (#46727333)

Constitutional avoidance is specifically about striking down unconstitutional laws and acts. In other words, letting the government continue violating the Constitution if they can find absolutely any other tiny possible way to get out of having to tell the government to "stop doing that".

Just another reminder that the Constitution is not the law, at best it could be considered the supreme suggestion of the land.

Re:Or in legal parlance (1)

korbulon (2792438) | about 8 months ago | (#46727141)

Even though there's a name and history for it doesn't make the ruling any more satisfying: "we're letting him go, but don't get the idea that we want to, it's just because we're not willing to make any sort of actual decision about it." But IANAL and all that shit, so what the hell does my opinion as a concerned citizen matter? Best to leave these sort of things in the hands of experts and I will get back to being a tiny gear.

Re:Or in legal parlance (1)

Travis Mansbridge (830557) | about 8 months ago | (#46727279)

Actually, the appeals circuit doesn't reevaluate the evidence of a case but merely whether the letter of the law was followed during the trial. If it wasn't, a new trial begins, and if it was, they may still appeal to a higher (supreme) court.

Re:Or in legal parlance (1)

c (8461) | about 8 months ago | (#46727427)

Even though there's a name and history for it doesn't make the ruling any more satisfying: "we're letting him go, but don't get the idea that we want to, it's just because we're not willing to make any sort of actual decision about it."

If you actually read the ruling, footnote 5 strongly suggests that if they'd actually had to make a decision on the actual purported crime, they don't believe the government actually produced any evidence suggesting the New Jersey law was violated.

Not Quite (1)

Anonymous Coward | about 8 months ago | (#46727503)

What the appeals court said is that they could not rule on the merits of the case, as there were none. For them to rule on the merits of the case, it would have to have been properly tried. It wasn't, therefore, there are no merits at all. This is consistent with the "poisoned fruit" doctrine that leads all tainted evidence to be discarded due to having been obtained illegally, whether or not it's relevant.

Gay niggers rejoice! (0, Troll)

Anonymous Coward | about 8 months ago | (#46726999)

Free celebratory showings of Gayniggers from Outer Space will be happening near you.

Re:Gay niggers rejoice! (0)

MrBingoBoingo (3481277) | about 8 months ago | (#46727029)

Finally said without being a Troll comment!

Re:Gay niggers rejoice! (-1)

Anonymous Coward | about 8 months ago | (#46727357)

Yeah man. Seriously, who in their right mind would downmod an anon? It's not like that was particularly obnoxious: the GNAA is completely relevant to weev.

Re:Gay niggers rejoice! (1)

mmell (832646) | about 8 months ago | (#46727575)

Agreed - A/C's all look like they're at -1 to me anyhow . . .

Re:Gay niggers rejoice! (0)

Anonymous Coward | about 8 months ago | (#46727095)

Their mission: to boldly go where no man has gone before.

What happens now? (4, Interesting)

gnasher719 (869701) | about 8 months ago | (#46727053)

From Wikipedia: "Relief from judgment of a United States District Court is governed by Rule 60 of the Federal Rules of Civil Procedure.[1] The United States Court of Appeals for the Seventh Circuit noted that a vacated judgment "place[s] the parties in the position of no trial having taken place at all; thus a vacated judgment is of no further force or effect."[2] Thus, vacated judgments have no precedential effect.[3]"

That seems to say that he is now in a legal position as if the trial had never taken place. So can he be taken to court in the proper place now?

Re:What happens now? (2)

Registered Coward v2 (447531) | about 8 months ago | (#46727181)

From Wikipedia: "Relief from judgment of a United States District Court is governed by Rule 60 of the Federal Rules of Civil Procedure.[1] The United States Court of Appeals for the Seventh Circuit noted that a vacated judgment "place[s] the parties in the position of no trial having taken place at all; thus a vacated judgment is of no further force or effect."[2] Thus, vacated judgments have no precedential effect.[3]" That seems to say that he is now in a legal position as if the trial had never taken place. So can he be taken to court in the proper place now?

INAL, but from my understanding of double jeopardy he could be retried. It appears to be a procedural error which would allow a retrial; in this case in the proper venue.

Re:What happens now? (3, Informative)

bruce_the_loon (856617) | about 8 months ago | (#46727303)

If he is retried, he can bring into evidence footnote 5 on page 12 of the judgement where the judges advanced the opinion that he was innocent of the accessing without authorization or in excess of authorization charge because there was no password or code barrier and the program accessed a publicly facing interface and retrieved information that AT&T unintentionally published. It reads that even if they found the venue as correct, they would have vacated the guilty verdict because of that.

Re:What happens now? (1)

Yebyen (59663) | about 8 months ago | (#46727407)

I haven't read the judgement (I am a good armchair lawyer though, have read lots of opinions and regurgitation of other peoples interpretation of the facts) but I am pretty sure that was a part of the New Jersey law, so in any retrial it would be irrelevant, since the standard is lower.

It would have probably been better for Weev if AT&T's servers actually were in New Jersey, since then this judges would be forced to say what they think about the NJ law as it applies to this case, which is pretty clearly what you said. The password or code - there was no such barrier to access, so no illegal access through forged authorization occurred.

This barrier requirement is part of the New Jersey law, and the threshold for abuse in the federal statutes is lower. Ah. Here, found it:
See State v. Riley, 988 A.2d 1252,
1267 (N.J. Super. Ct. Law Div. 2009) (p12 of the ruling)

Re:What happens now? (2)

Shakrai (717556) | about 8 months ago | (#46727509)

The password or code - there was no such barrier to access, so no illegal access through forged authorization occurred.

He still could have been charged under CFAA, without the felony enhancement (or without it through some other requirement), or any one of a number of state-level computer trespass laws. My home state (New York) has a felony computer trespass law that would apply to the exact same crime committed within our jurisdiction, and Arkansas (weev's home state) has a similar statute.

As a general rule of thumb the law is less concerned about the specific security measures bypassed and more concerned with whether or not you knew you were entitled to access the information (the record here is clear that he knew he was not) but still took deliberate measures to obtain said access.

Re:What happens now? (0)

Anonymous Coward | about 8 months ago | (#46727637)

Accessing a public facing web page is like accessing a phone book in a public phone booth. You can't tell me I can only look at entries of people I know.

Re:What happens now? (1)

Shakrai (717556) | about 8 months ago | (#46727705)

It's not a public facing web page when you have to impersonate someone else in order to access it.

Re:What happens now? (1)

Yebyen (59663) | about 8 months ago | (#46727845)

Which is just what he didn't do, according to the opinion. I agree, this fact wouldn't be helpful to his case if he was tried in probably any other possible state, other than New Jersey.

Re:What happens now? (1)

Shakrai (717556) | about 8 months ago | (#46727953)

He's still guilty of violating CFAA. They just tied it to another State level offense to enhance the underlying charge into a felony. They could have done that with any underlying state law though, so it's kind of moot whether or not he violated the NJ law. He's also guilty of violating Arkansas' computer trespass law, emphasis mine:

A person commits computer trespass if the person intentionally and without authorization accesses, alters, deletes, damages, destroys, or disrupts any computer, computer system, computer network, computer program, or data.

Had he been charged under that statute I highly doubt this would have become a national news story. This really shouldn't have become a Federal case, and if the Feds were hell bent on taking it they should have charged him in his home district. Carting him halfway across the country was a dick move, done purely for the convenience of the Federal Government, and it's made a martyr out of a common criminal that nobody would ever have heard of if this matter had been handled at the State level.

Re:What happens now? (1)

Yebyen (59663) | about 8 months ago | (#46728073)

One has to wonder then, whose idea it was to charge him in New Jersey at all...

If there's a precedent already in the state court that it's not unauthorized access if there's no code or password stolen... and there's a pretty clear argument that the case doesn't even belong in New Jersey, how did we get here? Some three years of incarceration later!

(Obviously, the answer is that it's not a crime if a cop does it.)

Re:What happens now? (1)

Shakrai (717556) | about 8 months ago | (#46728179)

My understanding is it wound up New Jersey simply because the Federal authorities there have more experience with these types of cases. However it happened, I'd concur that it was improper venue. The Feds should have charged him in his own Federal District at the very least, though I'd go further than that and argue that the body of evidence should have been turned over to the authorities in Arkansas for a state level prosecution. Either way, he was entitled to be tried in the jurisdiction where the law was broken, not trucked halfway across the country for the convenience of Uncle Sam.

Re:What happens now? (0)

Anonymous Coward | about 8 months ago | (#46727411)

Even if they couldn't retry him for a federal crime, current Supreme Court definitions of double jeopardy allow the government to try him again for a state crime, possibly once in each state even.

Re:What happens now? (1)

mmell (832646) | about 8 months ago | (#46727659)

Two factors - first, does prejudice apply, or was the conviction vacated without prejudice?

Second - charges brought in New Jersey don't have any bearing on charges brought in California/Arkansas/(anywhere but New Jersey)? Different state, different state laws being applied, different crime being alleged. I doubt that the charges in California would specifically be about the 4,500 New Jersey residents whose personal information was compromised. If necessary, they could simply exclude that evidence as not pertinent to their case and proceed with charges based on all the remaining evidence. Seems ridiculous, but much of US law is like that - swallowing camels whole but straining to swallow gnats is the expression I read somewhere once.

Re:What happens now? (0)

Anonymous Coward | about 8 months ago | (#46727241)

Wouldn't that be double jeopardy?

Re:What happens now? (1)

93 Escort Wagon (326346) | about 8 months ago | (#46727259)

No - see the last paragraph in the post you're responding to.

Re:What happens now? (1)

un1nsp1red (2503532) | about 8 months ago | (#46727297)

It would only be double-jeopardy if he went completely through trial and judgement. Since it was vacated, it was like it never happened.

Re:What happens now? (2)

Hentai (165906) | about 8 months ago | (#46727391)

Hmm. Overly-cynical thought:

Convict him, put him in prison, let him start serving out his sentence, vacate conviction based on venue.

Re-charge him in the proper venue, put him in jail without bail, let him stew for a few years. Then try him again, convict him again, put him in prison for a year or so again. Then vacate THAT conviction based on another technicality.

Then re-charge him again, put him in jail without bail again, let him stew for a few more years while you set up a third trial. Then try him again, convict him again, put him in prison for awhile again, then vacate THAT conviction...

I wonder how long you could play judiciary ping-pong with someone you REALLY didn't like?

Re:What happens now? (0)

Anonymous Coward | about 8 months ago | (#46727499)

Until their time served is equal to or greater then the punishment they would get. Any competent lawyer would get previous time-served credited towards the new conviction.

Re:What happens now? (1)

phantomfive (622387) | about 8 months ago | (#46727517)

Convict him, put him in prison, let him start serving out his sentence, vacate conviction based on venue.

His lawyer should have protested the venue in the first place. That is my understanding of the situation.

Either way I hope 'weeve' learned not to be a griefer. Otherwise he's just a jerk.

Re:What happens now? (0)

Anonymous Coward | about 8 months ago | (#46727651)

Umm, his lawyer did object to venue and was shot down by the court. Doesn't anyone read anything anymore?

Re:What happens now? (1)

phantomfive (622387) | about 8 months ago | (#46727849)

No, no I did not. Guilty as charged.

Re:What happens now? (1)

MarkvW (1037596) | about 8 months ago | (#46728355)

You WAY off base. It's sad that you have been modded up.

Venue not objected-to in the trial court is WAIVED. That means it can't be raised for the first time on appeal.

If it could, lawyer's would be sandbagging potential 'venue do-overs' all the time.

Re:What happens now? (1)

mmell (832646) | about 8 months ago | (#46727677)

Until somebody managed to get the sentence vacated with prejudice.

Of course (1, Troll)

Vermonter (2683811) | about 8 months ago | (#46727057)

Of course they vacated his conviction based on the wrong venue instead of the merits of the case. This guarantees there is no controversy.

Re:Of course (0)

Anonymous Coward | about 8 months ago | (#46728049)

Venue is a threshold issue. The court has to consider it before they consider the merits of the case. If a court determines that venue is not proper, then the court rules based on venue and does not consider the merits. That's the way the US system works.

Interesting (2, Interesting)

Capt James McCarthy (860294) | about 8 months ago | (#46727063)

I never understood this. If you break up a rape and beat the crap out of the perpetrator, you are hailed a hero. But expose flaws and you are a criminal. I suppose it's not the crime they are exposing, but the tactics to obtain the information then? So the question would be do the ends justify the means? That would apply to all things governmental/commercial I suppose.

Re:Interesting (1)

bunratty (545641) | about 8 months ago | (#46727381)

You need to be very careful when doing security research. To expose a flaw in a security system, you often need to break the law, unless you have prior permission to expose flaws in a particular system. When I took Halderman's security class, he warned us that any student who broke the law would automatically get an F in his class.

Re:Interesting (1)

NatasRevol (731260) | about 8 months ago | (#46727565)

Sometimes, laws need to be broken.

Read that any way you want.

Re:Interesting (1)

bunratty (545641) | about 8 months ago | (#46727613)

I read that as saying that it's often the right thing to do to break the law. On the other hand, you can't expect no legal consequences because you did the right thing.

Re:Interesting (1)

NatasRevol (731260) | about 8 months ago | (#46727807)

Often, the legal consequences are what makes it so obvious that the law should be broken.

Re:Interesting (1)

sribe (304414) | about 8 months ago | (#46727399)

If you break up a rape and beat the crap out of the perpetrator, you are hailed a hero.

That depends entirely on locale. Some prosecutors would go after you for the assault.

Re:Interesting (1)

American Patent Guy (653432) | about 8 months ago | (#46727413)

Weev did more than expose the security flaw. He ran a scheme to collect the email addresses behind the flawed security scheme, and collected over 100K of them. If he (and his partner) had stopped when the security flaw was discovered, then there would not have been a crime committed.

Re:Interesting (-1)

Anonymous Coward | about 8 months ago | (#46727593)

What delusional bullshit.

Re:Interesting (0)

Anonymous Coward | about 8 months ago | (#46727685)

There was no crime as he didn't attempt or intend to use the information in an illegal way. Exactly what crime is supposed to have been committed?

Re:Interesting (1)

American Patent Guy (653432) | about 8 months ago | (#46727907)

That's like arguing that a shoplifter took a knife, but didn't intend to stab anyone with it, so he's innocent. The illegal act was the collection of the email addresses that AT&T failed to properly protect.

Think of it this way: AT&T had a security plan (a wall) to protect a collection of email addresses (a pot of gold coins), and AT&T failed to notice that there was a security flaw (a hole in the wall). If Weev walked up to the wall and declared there was a hole there, that would have been legal. What Weev did was to write a program that crawled through the hole that collected the coins. Weev didn't have a right to possess the email addresses, and they were within a security envelope.

I'm not saying AT&T is guiltless here: I think they had a responsibility to their customers that they failed to meet. I'm not saying that I like this particular law. But under this law, Weev was apparently guilty.

Re:Interesting (0)

Anonymous Coward | about 8 months ago | (#46727979)

One count of identity fraud and one count of conspiracy to access a computer without authorization.

Re:Interesting (0)

Anonymous Coward | about 8 months ago | (#46727857)

Weev did more than expose the security flaw. He ran a scheme to collect the email addresses behind the flawed security scheme, and collected over 100K of them. If he (and his partner) had stopped when the security flaw was discovered, then there would not have been a crime committed.

So when a "real" security researcher goes far enough to create proof-of-concept code for a particualr violation, they're now committing a crime?

Re:Interesting (1)

American Patent Guy (653432) | about 8 months ago | (#46727951)

I don't think so. (That would violate the 1st amendment, as in free speech.) The crime would lie in running that code.

Re:Interesting (0)

Anonymous Coward | about 8 months ago | (#46727597)

I never understood this. If you break up a rape and beat the crap out of the perpetrator, you are hailed a hero. But expose flaws and you are a criminal.

As others have mentioned, he didn't just test an exploit and then inform AT&T, he ran the exploit repeatedly, gaining more personal information each time, and discussed how to profit most from the security breach before (eventually) deciding to just publicly release all the data.

A more proper crime analogy is that you come home from work to find a stranger at the corner with a large sign informing everyone that your back window is unlocked, and you need more ketchup.

Re:Interesting (1)

Solandri (704621) | about 8 months ago | (#46727619)

To break up a rape, you you need to conduct assault and battery on the rapist. Things that are normally considered criminal, but not in the context of self-defense or defense of another.

That's what's missing in the security front. If you're exposing the flaw in self-defense (your info is at risk) or defense of another (other people's info is at risk), you should be immunized against prosecution if you reveal the info in a reasonable manner. "Reasonable" can be defined in many ways, but probably something like notifying government regulators and the company fielding the security hole and giving them a month to do something about it, before going public with it.

Re:Interesting (0)

Anonymous Coward | about 8 months ago | (#46728177)

The "break up a rape" analogy isn't correct. It was more like finding an area filled with helpless women that was secured by an unlocked gate. They went through the gate and shouted, "We could be raping you!" The issue, then is whether or not they are guilty of trespassing.

In the case of "beat the crap out of the perpetrator", you may be prosecuted if the beating gratuitously exceeded what was reasonably necessary to stop the raping, although the DA may try to ignore your excesses.

Not Odd At All (4, Insightful)

jratcliffe (208809) | about 8 months ago | (#46727137)

"Oddly, the reason for the ruling was not based on the merits of the case, but on the venue in which he was tried (PDF)."

This isn't odd at all. If the venue was incorrect, then all the issues raised in the trial become irrelevant.

Think of it this way: if he'd been charged with "being a Mets fan," and the appeal was based on (a) there's no law against being a Mets fan, and (b) the evidence that he was a Mets fan (a cap) was obtained through an illegal search, then whether or not the search was illegal would be irrelevant - he had broken no law, so the "conviction" would be tossed out.

Re:Not Odd At All (1)

Yebyen (59663) | about 8 months ago | (#46727263)

...except that the situation you just described is the opposite of what happened.

The judges declined to give an opinion on whether or not any law was violated, they vacated the verdict in NJ because of a procedural violation that had taken place -- the venue the case was tried in was NJ, even though the events and parties (AT&T was not a plaintiff, so technically not a party... but the servers in question) were not any of them in NJ.

Re:Not Odd At All (2)

bruce_the_loon (856617) | about 8 months ago | (#46727329)

An opinion on the law being violated was given in footnote 5 on page 12 of the judgement. It suggests he is not guilty of the charge.

Re:Not Odd At All (1)

Yebyen (59663) | about 8 months ago | (#46727703)

It suggests (by way that no evidence was offered) that he is not guilty of unauthorized use of a code or password, which means he's not guilty of violating the precedent for the statute in NJ. It gives no opinion on whether or not this has any bearing on the federal charge under CFAA. The precedent cited is another NJ case, where the person on trial was a police officer who had a password and used it for reasons against internal policy. There was no password, but I believe the standards of the federal CFAA are actually much lower.

Re:Not Odd At All (1)

jratcliffe (208809) | about 8 months ago | (#46727699)

Bad example on my part, then. Point I was trying to get across is that, if there's a procedural reason to overturn a ruling, judges will always go that route rather than getting into the substance of the case, since the substance doesn't matter.

Re:Not Odd At All (1)

Yebyen (59663) | about 8 months ago | (#46727809)

I'll try a car analogy. If you're trying to drive to New Jersey and you're starting your trip in Ireland, it's not important that you don't have EZPass or any American money to pay the tolls. There's too much water in your engine by the time you reach the shore, assuming you didn't just run out of gas on the bottom of the ocean. You didn't fail to pay the roadway tolls in Jersey, since you never were in the state of New Jersey. So you don't go to jail for that.

Re:Not Odd At All (1)

Anonymous Coward | about 8 months ago | (#46727889)

"Oddly, the reason for the ruling was not based on the merits of the case, but on the venue in which he was tried (PDF)."

This isn't odd at all. If the venue was incorrect, then all the issues raised in the trial become irrelevant.

Think of it this way: if he'd been charged with "being a Mets fan," and the appeal was based on (a) there's no law against being a Mets fan, and (b) the evidence that he was a Mets fan (a cap) was obtained through an illegal search, then whether or not the search was illegal would be irrelevant - he had broken no law, so the "conviction" would be tossed out.

It's a little more complicated than this. Part of the reason New Jersey was chosen is that they could tag a felony onto the case. So it would be like being charged for being a Mets fan, but you live in Arkansas, and the cap was found in Arkansas, but it's only a misdeanor in Arkasnas to be a Mets fan...so the trial was moved to Jersey where being a Mets fan is a felony.

I hope you don't work for the NSA... (2)

American Patent Guy (653432) | about 8 months ago | (#46727305)

From the decision: "To be found guilty, the Government must prove that the defendant (1) intentionally (2) accessed without authorization (or exceeded authorized access to) a (3) protected computer and (4) thereby obtained information." I haven't read this particular law, but I doubt that it has a provision that gives blanket immunity to government agents/employees. The minute you step over the line of unauthorized access to a computer (assuming you don't have a warrant), you've just committed a crime.

Ooooooh ... where's my popcorn?!

Proper venue is a fundamental constitutional right (1)

FuzzMaster (596994) | about 8 months ago | (#46727415)

From the opinion, the court got this part right:

“Though our nation has changed in ways which it is difficult to imagine that the Framers of the Constitution could have foreseen, the rights of criminal defendants which they sought to protect in the venue provisions of the Constitution are neither outdated nor outmoded.” ... Just as this was true when we decided Passodelis in 1980 — after the advent of railroad, express mail, the telegraph, the telephone, the automobile, air travel, and satellite communications — it remains true in today’s Internet age. For the forgoing reasons, we will reverse the District Court’s venue determination and vacate Auernheimer’s conviction.

Not just the Declaration (3, Interesting)

T.E.D. (34228) | about 8 months ago | (#46727795)

He wasn't kidding in the slightest about venue being a big issue in our break with Britain. You can find the issue at least alluded to as a grievance in just about any pre-war document. My favorite is Franklin's sarcastic Rules by Which a Great Empire May Be Reduced to a Small One [archives.gov]

This King, these Lords, and these Commons, who it seems are too remote from us to know us and feel for us, cannot take from us ... our Right of Trial by a Jury of our Neighbours. ... To annihilate this Comfort, ... let there be a formal Declaration of both Houses, that Opposition to your Edicts is Treason, and that Persons suspected of Treason in the Provinces may, according to some obsolete Law, be seized and sent to the Metropolis of the Empire for Trial; and pass an Act that those there charged with certain other Offences shall be sent away in Chains from their Friends and Country to be tried in the same Manner for Felony. Then erect a new Court of Inquisition among them, accompanied by an armed Force, with Instructions to transport all such suspected Persons, to be ruined by the Expence if they bring over Evidences to prove their Innocence, or be found guilty and hanged if they can’t afford it.

(emphasis his)

Details on the exploit? (1)

RyuuzakiTetsuya (195424) | about 8 months ago | (#46727801)

I've been trying to find some sort of write up on what was exploited and how it was found.

Does anyone know where to find any of this documentation?

Re:Details on the exploit? (0)

Anonymous Coward | about 8 months ago | (#46727949)

Read the court of appeals reversal. It outlines what happened quite well.

Re:Details on the exploit? (1)

FuzzMaster (596994) | about 8 months ago | (#46728013)

It's very clearly explained in the opinion PDF linked in the summary.

Court of Appeals for the 3rd Circuit (0)

Anonymous Coward | about 8 months ago | (#46728227)

Actually, it is the United States Court of Appeals for the 3rd Circuit. The District Courts are the federal trial courts, whose decisions the courts of Appeal review.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?