Is Weev Still In Jail Because the Government Doesn't Understand What Hacking Is? 246
Posted
by
samzenpus
from the you-say-tomato-I-say-tomato dept.
from the you-say-tomato-I-say-tomato dept.
Daniel_Stuckey writes "Last March, weev, the notorious internet troll who seems to be equally celebrated and reviled, was convicted of accessing a computer without authorization and identity fraud, and sentenced to serve 41 months in prison.'He had to decrypt and decode, and do all of these things I don't even understand,' Assistant US Attorney Glenn Moramarco argued. Here, on a Wednesday morning in Philadelphia, before a packed courtroom, the federal prosecution argued that a hacker should spend three and a half years in prison for committing a crime it couldn't fully comprehend. Previously, Orin Kerr, a law professor at George Washington University and weev's defense attorney, had argued first and foremost that there was no criminal hacking to speak of. According to Kerr, what weev and Daniel Spitler (who pleaded guilty to avoid jail time) had done while working as an outfit called Goatse Security was entirely legal, even though it embarrassed public officials and some of the country's biggest corporations."
Goatse Security??? (Score:5, Funny)
They totally sound trustworthy.
Re:Goatse Security??? (Score:5, Funny)
Re:Goatse Security??? (Score:5, Funny)
And backdoors.
Re: (Score:2)
Goatse Security we do pron and other sites that the other People will not touch with a 10 foot pole.
Re: (Score:3, Funny)
They totally sound trustworthy.
Some use security-by-obscurity
Others prefer security-by-scarity
In the 18th century ... (Score:5, Insightful)
... people can claim that they did not know how to do witchcraft, but they could point out to the judge which person were witches which were not.
In the 21st century, people can claim that they do not know how to hack, but they can tell the court who are the hackers and who are not.
As if people never learned any lesson from what had transpired three long centuries ago.
Re: (Score:3)
Actually, its not a very good idea at all, to name names, when you are headed for prison.
You might think you are getting a shorter sentence and you might, but, it just wont matter.
With the tag of snitch stuck to you, you enter a world of men who fear snitches. These men kill what they fear.
So it doesnt matter if you got 10 years or 1. It doesnt take that long to die. Punk City (p.c. or protective custody) wont save you either, especially if you are a high profile snitch. Just get over the tellin on people b
Re:Goatse Security??? (Score:5, Funny)
Its due to the courts' zeal for punishment (Score:3, Informative)
...particularly for punishing small fries who get in the way of large corporate interests and other big shots.
Along the same lines, we can ask why 'Bidder 70' went to jail [billmoyers.com] for stopping the illegal sale of public land.
Re: (Score:3, Interesting)
and well..
quite frankly due to the prosecutor not understanding what he had been doing it's just about punishing for joking around. it should be illegal to prosecute something you can't understand. "I don't know what he did but he sure looks guilty, right!? you must convict!".
circa 1997 this happened to me, sort of. ran a traceroute on the wrong night to see where my emails were routed through(our school mandated the use of an internal email system where server wasn't internal and there was no encryption on
Re: (Score:2)
and well..
quite frankly due to the prosecutor not understanding what he had been doing it's just about punishing for joking around. it should be illegal to prosecute something you can't understand. "I don't know what he did but he sure looks guilty, right!? you must convict!".
circa 1997 this happened to me, sort of. ran a traceroute on the wrong night to see where my emails were routed through(our school mandated the use of an internal email system where server wasn't internal and there was no encryption on the email clients(email client was mandated to be a certain windows email reader). now of course I had my machine full of warez(games and early music warez), winnukes, jolt of the day etc(and had winnuked some people so not totally innocent really of everything).
but what shocked me was the police interrogation, because they tried to make me sign something I had not said, because they did not understand the claims made by the "victim"(city) were impossible to have happened from my actions(and claiming shit like me crashing hospital internal network, hopping a supposed airgap and other stuff that I did not do, they just had some internal meltdown of the windows servers routing the traffic on the same day). the way the interrogation went was "you know what you did, tell us" and 16 year old me going "what the fuck dudes?".
originally they wanted me to confess to something technically impossible and it took them nearly 2 years to figure out that they did not know what to charge me with(and for the prosecutor to deem the investigation incompetently done and drop it, and it cost the state quite a lot for nothing...). I mean, the
posting anon but it's not too hard to figure out who this is for those who know.
anyway, doesn't matter which western country you live in always check what the coppers want you to sign and ask the fuckers to rewrite it to match what you actually said. after that ordeal I was convinced 20-30% of "solved" crimes are just pinned on some druggies in withdrawal who don't read what they sign.
Thanks for the advice.
Re: (Score:3)
Investigations cost time and money, and can potentially be embarassing. So prosecutors really want to skip all of that and just get a nice simply guilty plea. They have a few tricks to make that happen, the most obvious being the use of threats - they'll come up with a list of charges long enough to get you jailed for fifty years or more, but then generously agree to drop almost all of them if you back down then and there and agree to plead guilty to the most minor ones and just do a couple of years or pay
Re: (Score:2)
He's no Tony Blair or even a Mitnick or a Zimmermann. He might make $10k if he's lucky.
Goatse security (Score:2)
No idea about the legal aspects, but given the images that the name brings to mind I think I would pass on its services.
Beta is broken and just doesn't work why even call (Score:3)
Can we please stop this foolishness. Now I'm off to reddit where I can enjoy my free time.
Once more in plain English Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Re: (Score:2)
Re: Beta is broken and just doesn't work why even (Score:5, Insightful)
"Classic works for me, remove the 'beta' stuff from the url."
Be careful, or you'll be tossed in jail for hacking /.
Re: (Score:2)
Donning CBR Gear (Score:5, Insightful)
Weev is whale turds. He's the lowest of the low, he knows it, and he relishes it. He's like a wolverine, pissing and shitting on the carcass he found, so nobody else will try to eat it, even though he can't stand his own stench.
Which is why it sucks so God Damned much to have to defend his useless ass!
But then, if you can't defend the worst of the worst from clear injustice, then we don't even have the hope of having a republic.
Re: (Score:2)
Idealism is noble and all, but sometimes in general when I read /. comments these days I feel like folks are missing that "ideal" is mostly an imaginative concept. Combined with the slippery slope fallacy, a spoonful of pseudo-anarchy idolatry, and a dollop of moral relativity, it would seem that we are in the face of impending doom with every little tiny ripple in the vast ocean of life.
This guy is a complete, disgusting, repulsive, degenerate, piece of garbage that deserves what he is getting right no
Re:Donning CBR Gear (Score:5, Insightful)
Our justice system was set up the way it is for a very good reason, and it's incredibly naive of you to think that this is okay because weev is an asshole.
Re: (Score:2)
What you have here is an idiot prosecutor, who didn't know enough not to admit what he didn't know. Is the law often ignorant of technology? Yes, particularly this time, but the world self-corrected in this case (it tends to do that) and still stuck this little bastard in jail.
Actually, what you have here is an idiot slashdot poster who didn't know enough not to admit what he didn't know. Is technology often ignorant of the law? Yes, particularly this time.
Now according to what others posted here, this "weev" seems to be the kind of person that everybody should punch in the face wherever they see him.
Re: (Score:2)
In sortof agreement with what you said: this seems to be a simple case of jury nullficiation, but in the opposite direction /. seems to desire. People here like to advocate it as a way of getting someone who was arrested under an unjust law out of trouble. But the truth is, far more often it is used in a matter that results in convicting those who exhibit scummy behavior, regardless of the evidence.
Re: (Score:2)
You don't need to defend people who are only trying to hurt others.
He did the wrong crime (Score:2)
If he raped, stole, did drugs, mugged someone, I bet he would get far less time. There are even whole groups of people that get arrested over 60+ times!!! [google.com]
Don't hack. To do so might mean maximum prison in solitary confinement. You think I'm joking, but that's how afraid these clueless people are. They view hackers as some magic wizards that can open cell doors with thought alone.
Prosecutors did a Google search... (Score:2)
...for the name of his security company, clicked on the first link, and said "OK, asshole, now you're going down!"
Now insert your own PMITA Prison/Goatse joke here...
The Free World Defense? (Score:2)
Maybe they should have told the court that they had no authority to charge or even know any information about the case or the defendant's actions since national security and the safety of entire free world was at stake. That seems to scare every other court off, right?
A hundred years from now... (Score:2)
We will look back on things like this and think, "Holy shit, we imprisoned people for that? Man, that was stupid. I'm sure glad I didn't live in that barbaric era of witch-huntery!"
I don't know whether it's illegal or not. (Score:2)
What he did seems rather grey to me. I don't exactly buy the argument that this was legit access. Especially when he went and downloaded 140,000 some email addresses.
41 months does seem like a ridiculous sentence for stealing some freaking email addresses though. Is it really supposed to be worse just because he got Michel Bloomberg's email address? Isn't punishment supposed to be based on harm done? For a crime, this sounds pretty penny-anty.
NYtimes, I never got to Weev (Score:2)
I started at the NYtimes link and it wore me out; it was supposedly about Weev, going from "a hero", to /b/, to Lulz and that was just the prep, I didn't care to read any more about it.
http://www.nytimes.com/2008/08... [nytimes.com]
TV Courtroom Drama... (Score:2)
Defense Lawyer: I'd like to call the prosecutor to the witness stand.
Prosecutor: Objection
Judge: This is completely out of bounds.
Defense Lawyer: Your honor, if you would just allow this for a minute...
Judge: Agreed.
(Prosecutor takes witness stand)
Defense Lawyer: Exactly which law is my client accused of breaking?
Prosecutor: The computer security and fraud act.
Defense Lawyer: And exactly how did my client break this law?
Prosecutor: He hacked into the NY Times and stole email addresses.
Defense Lawyer: You mi
Re: No. (Score:5, Informative)
Any public URL that is unencrypted is not a secret. Snooping on plaintext is not snooping at all. And he had no legal requirement to notify AT&T first. Besides, even if he had, they don't care about security until it goes viral. I notified them of a information leak on their iOS translation app that allowed other apps access to your translations and location data. Not only were they unable to figure out who was responsible for the app, they ultimately told me to call Apple. I tried the support for the app as well as customer service. I email their PR rep too. Zero response.
Re: No. (Score:2)
He should not have been found guilty of hacking.
But, he's a sadist who spreads misinformation and lies. Lethal injection.
Re: No. (Score:4, Insightful)
Americans are never happy unless you're getting your human sacrifices, eh?
Re: (Score:3)
Re: No. (Score:5, Insightful)
Any public URL that is unencrypted is not a secret. Snooping on plaintext is not snooping at all. And he had no legal requirement to notify AT&T first. Besides, even if he had, they don't care about security until it goes viral. I notified them of a information leak on their iOS translation app that allowed other apps access to your translations and location data. Not only were they unable to figure out who was responsible for the app, they ultimately told me to call Apple. I tried the support for the app as well as customer service. I email their PR rep too. Zero response.
I'm really uncomfortable with that logic. First of all saying that if all it takes is typing in a URL, then of course its public belies a level of ignorance just as high as the government in this case. "Just a URL" in the modern internet could be anything. SQL-injection is programmatic hijacking of a database server, but it often requires "just a URL." Buffer overflow attacks require just a URL, many apache worms required just a URL to propagate because of the way URL content can be processed. Just a URL is like saying all programs are just notepad documents. It cannot be the case that "if I can get there, then I get to take whatever I want" is the rule of the internet. I read in another article the analogy that AT&T basically put the material on a library bookshelf for anyone to read. That's not a good analogy: a better analogy is weev went to a public library, found that someone forgot to lock the door to the reserve stacks, and decided to go there and take a bunch of books home with him just because he could.
That is not the person I want to be the flag-bearer for my sense of fairness.
Second, giving anyone who points out a failing in others a free pass to point it out by any means is also something I'm really uncomfortable with. If its okay when done to big companies like AT&T and Apple, then its just as okay to do to smaller organizations like your neighborhood grocery store, or your house.
Re: No. (Score:5, Insightful)
I mean, fair enough. But if you can access every customer's record on a massive nationwide system by incrementing a single digit? That strikes me as "basically public". I sometimes exploit the same "hacking" to find the page of a webcomic I want to read if I forget the bookmark.
As the article says: Does he deserve to go to jail? Probably. For this? No.
Re: (Score:2)
ICC-IDs are not sequential. You'd have to try a lot of them before you get a successful hit.
Plus, if the API wasn't told to you by AT&T, then it's not public.
Re: (Score:3)
If you can go to the store and buy one, and put it on your network, and your network monitoring software can show you what it's doing, and it's unambiguously doing something that's easy for you to do, and makes it easy to get something that arguably ought to be a secret without your having performed any heavy duty rocket surgery...
It's public! Any of your customers can gain this knowledge without anything you didn't just plain give over to them! If responsibly disclosed and the company won't do anything a
Re: (Score:2)
You think there should be defences for someone codes a SQL injection in this day and age?
Because by penalising the 'attacker', you are creating a defence for it. They are the bad person, we are the victim.
When in reality it is pure incompetence - like leaving the till open and realising a hour later that it is empty.
Now I'm not saying that hacking websites is maliciously is right, but there needs to be a *greater* punishment against whoever allowed it to occur to begin with.
Someone who leaves the till open
Re: (Score:3, Insightful)
yep, there's the good ol hacker "she was asking for it" defense.
the egg would have been all over at&t's face if this info had been released anonymously. but weev had his awesome internet persona to worry about.
someone forgot to tell him the cool part of hacking is not getting caught
Re: (Score:2, Insightful)
How is this any different from someone just unlocking your front door because the lock mechanism is stupid and helping himself to all your belongings? Or how would you feel if you left your house and you left one of the windows open and so someone decided because the window was open, he is basically invited in to your house and can take whatever he wants? Only a fool would make that argument the thief has any right to be in your house. You can argue the homeowner should be more careful and get a better l
Re: No. (Score:4, Interesting)
Let's take this idea to an extreme scenario, albeit one that's not too improbable. For a very long time, a nuclear launch code was actually '00000000.' Let's say some hacker had accessed their network, determined this was the case, and made all of the machines with displays on the network say 'Change the fucking password before you doom us all, you stupid fuckwits.' Who are you going to be angry at, the hacker who intercepted their network, or the party that ignored their responsibility in protecting something that could have potentially destroyed civilization as we know it?
So we are back to this (Score:5, Insightful)
Seems there is a prevalent feeling on Slashdot that if you leave yourself exposed, wittingly or unwittingly, then the folks who take advantage of that exposure should not be held accountable, should get the benefit of the doubt, or in some cases, even celebrated.
The principal at stake here is the social contract of Trust. We trust each other to not harm one another in everyday life. I trust the clerk at the gas station to not bash me in the head with a bat. He trusts me to not do the same. I trust that the people I invite into my house won't go through my stuff, that they will respect my privacy, and won't steal anything, etc.
People who violate this trust are called criminals, thieves, murderers, etc. Despite what the News says, this does not occur all that often. If it did then we'd be like Somalia. It's why we can function as a society.
Whatever the circumstances that led to this guy accessing, downloading, and keeping the information, he violated the general trust that we all have that others won't mess with our shit, even if we leave it exposed. He also violated the law, which says, in a nutshell, don't fuck with other people's shit.
If you want to use the unlocked door analogy, what did not do was leave a nice note for the owner saying, "hey, I found your door was unlocked". Instead, he went inside and took stuff, then put up posters all around the neighborhood telling people the door was unlocked, which door it was, and what stuff he took.
both (Score:2)
Re: (Score:2)
How is this any different from someone just unlocking your front door because the lock mechanism is stupid and helping himself to all your belongings?
The law on trespassing is that if your property is not plainly posted according to certain detailed legal requirements and you leave your door open or unlocked and someone enters your premises and/or if they cross onto your property, you may order the individual(s) to leave, and if they comply without delay, they have not committed a crime, regardless of what they may have seen while on the property and/or in the premises, and are under no legal obligation to keep it secret barring a court's order.
An intern
Re: (Score:3)
For the most part, on the web it really is up to the server to tell you if you're going somewhere forbidden. It's the only way to positively know.
I acknowledge that in this particular case, it could be argued that he should have soon realized that he was in a restricted area. However, given the convention (for the web AND for a physical business presence) and the ambiguity, it sounds like a misdemeanor charge at most to me.
If you're going to talk about fairness, you must address a 3.5 year prison sentence f
Re: (Score:2)
You've got a point, but on the other hand, what if someone codes up such a "hack" and puts said URLs into some harmless looking web page, and I click on it. Am I now guilty of hacking AT&T?
I'm tempted to say that at the very least, URLs that don't involve remote code execution should at the very least be not considered hacking. If the URL calls a server which executes code in exactly the way it was designed to if you access that URL, then it shouldn't be hacking.
If the URL causes the server to execute a
No thousand time no (Score:3)
"Any door that is unlocked is not a free for all. Openning and entering that door is not trespassing at all. And he had no legal requirement to notify the door owner first. "
We have already enough law on the book. If youa re accessing a direct URL and manipulate URL to see what is not normally accessible thru the publi
Re: (Score:3)
I am sorry but going to have to disagree here. A url with an obnoxiously long query string, that is plainly designed to be used by a web service etc and not published isn't public. Using in what you can reasonably know is an unintended and potentially abusive way isn't right. Just like walking off with someones property they left in their yard is not right, but its also not as severe as breaking and entering. Ditto if I leave my house unlocked, if you enter you are trespassing, if you take something its
Re: (Score:2)
Re:No. (Score:4, Insightful)
Ah... no. If I can type the exploit into the address bar and I need no more than autohotkey to download their entire god damned database then that's not a hack. They made their bathroom walls out of glass and then complained that he was a peeping tom for setting up a webcam from across the street. Scuzzy? yes, but not illegal. The government shouldn't have to protect you from what common sense should.
So if you forget to lock your front door (Score:5, Insightful)
And it blows open in the wind, I can just hop on in to your house and nose around?
The answer, in case you are wondering, is no. While you should take precautions to secure your house, your failure to do so is not the same as permission to enter or do as I please.
Re:So if you forget to lock your front door (Score:4, Insightful)
This isn't a house, it's an office building.
And he didn't just walk in, the server provided the information to him.
So, he walks into an office building, asks the security guard if he can walk right up to the conference room, and the guard says 'yeah, sure, why not' so he does...and now he's being arrested for trespassing.
Re: (Score:2)
Right. He was just sitting there looking at a gmail screen when an AT&T server just started filling his browser with ICC's and email addresses.
He had to *request* the address for each, individual, ICC, through an internal interface that is not publicized. An interface he found while digging through the activation process (looking at the network traffic), apparently. The CFAA has no requirements for a lock-and-key system to constitute unauthorized access; witho
Re:So if you forget to lock your front door (Score:4, Funny)
Re: (Score:2)
If he had walked into the office building and asked the receptionist at the front "hey what is the email address for customer #1234" and it was given to him, would that be identity theft? Trespassing? What if he asked for all the customers' email addresses, and got them?
Oh right, you have the CFAA. It's different because it's on the Internet. Thanks to all our representatives who are scared
Re: (Score:2)
So, he walks into an office building, asks the security guard if he can walk right up to the conference room, and the guard says 'yeah, sure, why not' so he does...and now he's being arrested for trespassing.
A closer analogy would be the following;
Walk into an office building a few million times each time asking for different room numbers and when he find one that exists the security guard says "yeah, sure, why not"...
By the way the security guard is blind so he has no way of knowing if you have been there before.
It was the act of brute forcing the IMEIs with millions of attempts gaining over 100k email address that got Weev into trouble. The judge even said that had he stopped a few he would have gone free.
Re: (Score:2)
In France we actually got someone behind bars for something very similar with a law that I find pretty smart that says approximately: "If you are somewhere where you *know* you shouldn't be, and you don't get out immediately but you *knowingly* stay there and snoop around, then you're guilty."
I think that's the expression of common sense. It might be just me.
Re: (Score:2)
The problem is, you don't know what someone else knows. And while you might say most people ought to know they oughtn't be in a certain place, not everyone has the same sense of boundaries as you do. Or in other words, this law that sounds very clever is in fact incredibly vague. I mean just for starters, define "shouldn't be". Shouldn't in what sense?
Re: (Score:2)
Re:So if you forget to lock your front door (Score:4, Insightful)
He never entered. He took pictures through the open door. Hell, they didn't even have a door, just a bead curtain that fell down.
Re: (Score:3)
How about if I did lock the door but you made a really fast key cutter and tried a million different keys on the lock and a few of them worked.
Re: (Score:2)
I do that all the time. For example, I surmised that Apple corp might have an Australian office, and lo and behold, apple.com.au worked. I surmised something else. Their products might be at apple.com.au/products or maybe apple.com.au/store, and lo and behold, that worked too. Guessing URLs is not generally a crime.
Re: (Score:2)
Re: (Score:2)
Worse than that. Someone is walking along a public street, waving a sign at passing cars. This person didn't dress properly before going out in public, and has no clothes on. He does not get to sue all the drivers for being peeping toms. He can't complain if someone takes a picture. Instead, the police can arrest him for indecent exposure.
Anyone who hooks a server up to the Internet is going out in public. Dress appropriately.
Re: (Score:2)
So all upskirts pictures are legit and we should encourage people to take them?
After all, all those panties are out in public and protected by just a skirt which you can look below... from a public place.
Your vision of what is right and wrong seems to be broken.
Re: (Score:3)
Step in your house, no. LOOK in your house from the curb, sure. If the doors are open it's a public place.
At the risk of propagating this analogy-hell, I'm pretty sure that if your door is open, your property is still not a public place.
In the UK for example, if you point a camera at a building with a normal lens, that is fine. If you point a camera at a window with a high-zoom, that is not. Intent matters!
Re: (Score:2)
Yeah, but on the WWW, how are you supposed to know what is public or private? It's not like there are web sites with a banner saying "Don't come to this web site". No, if the URL works, the assumption is its public. If the URL asks for a user name and password, then you shouldn't go beyond that if you don't have said password. If the WWW wasn't like that, then you'd have to make a phone call to Coca-Cola to see if they're happy for you to go to coca-cola.com.
As for the UK and your claim about "normal lens",
Re: (Score:2)
Of course you can know. This guy knew. He was deliberately trying to find stuff that he knew wasn't supposed to be public. If you didn't know then that would be a defence, but I can't see that being the case here.
The law isn't technical absolute booleans, intent matters, and what the person is trying to do is part of it. What a reasonable person expects and would I don't see the photography thing as a crazy law, should you be allowed to pry into my house just because technically you can and there's no cast
Re: (Score:2)
The rules have always been different for a private home vs. a business open to the public. In particular, the default for a private residence is that you may not enter without invitation. For a business open to the public, the assumption is opposite.
It's why you don't have to ring the doorbell to go in to a shop when the door is unlocked and no closed sign is displayed.
Re: (Score:2)
But he didn't walk in. He just peeked from outside, and didn't touch anything. It's not ilegal to LOOK inside your house from outside if the wind blows the door open.
Re: (Score:3)
It's like walking through a door you know to be private property, you have no right to access, but because it's unlocked, you just walk through and start taking pictures of everything you see.
In reality, this is still trespassing and you're accessing something you have no authorization to access.
Granted, like I said, AT&T isn't off the hook for lousy security, but this doesn't forgive what weev did.
Re: (Score:2)
No, he was walking through a side door he found by snooping on the behavior of the building.
If weev hit an API end point that was being advertised on ATT.com, that's front door
If weev had to snoop on the traffic from an iPad that was registering itself with AT&T then that's certainly not front door. Front doors are obvious. This end point wasn't.
Re:No. (Score:5, Insightful)
Ah... no. If I can type the exploit into the address bar and I need no more than autohotkey to download their entire god damned database then that's not a hack
Too bad that is not what happened. He tried millions of possible IMEIs to get the information. That is not far off from a brute force password attack. That was also where the identity fraud charge came from. The IMEI is used to identify the owner of the phone and by using someone else'es IMEI her was fraudulently acting as the owner of the phone.
Re: (Score:2)
Quit being a weeny and go do it!
Then you can be cell-mates with weev, and everyone can point fingers at you and laugh.
["Yout honor, I didn't burn down that house, it was the house being made of wood that was unsafe because fires occur in nature
Re:No. (Score:5, Insightful)
Further more instead of going to ATT, he went to Gawker first.
This, a thousand times.
When you discover a vulnerability:
* Do not go to the vendor. They will often ignore it or sue.
* Do not go to the school or business. They will ignore it, sue, fire, and expel.
* Do not go to the government. They will imprison.
* Do not go to the Interwebz at large. You get everything above.
Take the exploit and related proof to a trusted, large, well-established security company that accepts anonymous submissions and will publicly disclose the exploit if not addressed within a specific number of days.
Re: (Score:2, Insightful)
Further more instead of going to ATT, he went to Gawker first.
This, a thousand times.
When you discover a vulnerability:
* Do not go to the vendor. They will often ignore it or sue.
* Do not go to the school or business. They will ignore it, sue, fire, and expel.
* Do not go to the government. They will imprison.
* Do not go to the Interwebz at large. You get everything above.
Take the exploit and related proof to a trusted, large, well-established security company that accepts anonymous submissions and will publicly disclose the exploit if not addressed within a specific number of days.
Or you could sell it, and make potentially a lot of money, and not have to deal with any of the above consequences.
I believe this is what is called a perverse incentive.
Re: (Score:2)
Better yet, sell it to the highest bidder.
Re: (Score:2)
Better yet, sell it to the highest bidder.
That would presumably be a three letter agency, which might not fit with your ideology.
Re:No. (Score:5, Insightful)
Fuck that. If disclosing it to these people puts yourself at great risk, it's no wonder it just gets uploaded to the most convenient 0day full disclosure community. Then they HAVE to take it seriously. The broken dynamic is the fault of corporates and governments, not 'hackers.'
Re: (Score:2)
The broken dynamic is the fault of corporates and governments, not 'hackers.'
Let's be more specific. It's the fault of lawyers. There are many decent people in corps and governments, and even decent lawyers, but the bad ones poison the well for all others.
Re:No. (Score:5, Informative)
Can we prosecute the NSA for the same crime? Presumably if the prosecutor doesn't fully understand what NSA actually did then that should be good enough to convict.
Re: (Score:2)
This is irrelevant.
A troll jailed for no reason is a fitting punishment for a troll anyway, so there.
Weev = Miserable Internet Troll (New York Times) (Score:3)
Honestly, based on all indicators from the press over the last couple years, Weev has been a fairly miserable human being on most accounts, interested in causing disruption and not much else. The New York Times in particular did a very good expose on a number of individuals (Including Weev), covering their behaviors over the last couple of years, and their admitted trolling behaviors.
* http://www.nytimes.com/2008/08... [nytimes.com]
Here is a gem, highlighting some of his conduct.
Weev, the troll who thought hackin
Re: (Score:2)
BTW The New York Times is a troll generator, it causes imitation by feeble minded losers by devoting articles to these rookies.
Re: (Score:2)
If you have to go out of your way to find it, it's not public. If you break in because of lousy security, it's still not public.
Read the law.
http://www.law.cornell.edu/usc... [cornell.edu]
(a)(2) and (e)(2)(B) are relevant here.
Note: protected is not defined as having any security measure in place, it seems to me that protected means protected by the law at hand
Re: (Score:2)
Because Netflix isn't pressing charges.
If person A trespasses on person B's property, and then charges them for trespassing, it's not hypocrisy when person C walks in on person D's property and they don't care.
Further more, Alexis Madrigal didn't scrape 110k+ emails from Netflix's customer database.
Re: (Score:2)
Here are a couple of differences between what Weev did and what the reporter did.
Reporter
Tried a sequence of numbers totaling maybe 100k in sequence of which most were valid.
The data retrieved is movie genre tags. The use of the data is to translate a number into a string of text to display the Netfix genre code on browsers and apps. There is no privacy concerns or profit potential for this data.
Each data point retrieved is designed to be used by millions of people. Anyone with "Japanese Horror Movies" in t
Re: (Score:2)
Sorry but these are very different things. The Netflix database was meant to be public while the iPad one was not.
The fact is both were on web servers. The entire point of a web server is to handle requests, if you don't want something publicly accessible, begin by not putting it online. How are we to determine what is or isn't authorized? If you put something online, and later say that someone wasn't supposed to access it, who is liable?
The data is designed to be used by the owner of the phone as identified by the IMEI and not anyone who can spam enough possible IMEIs to fins a valid one.
If only there were some way to flag and block repeated attempts... this is about as brilliant as those folks who decided using a Social Security Number as a means of identification.
Re: (Score:2)
if you don't want something publicly accessible, begin by not putting it online
So no online banks, credit card companies, etc. Just because it is on the web does not mean it is public.
Defending negligence will not improve things.
Defending people who exploit negligence does not improve things either. In my opinion there should be consequences for both Weeve and Apple.
Re: (Score:2)
So no online banks, credit card companies, etc. Just because it is on the web does not mean it is public.
Absolutely it does, it's implicit when it's on the web (short for World Wide Web) especially without authentication (doesn't that usually involve username + password?). Ultimately I believe you're arguing about intent of the organization, something the web server and client know nothing about. Requests (not demands) are received, and the web server replies. Private networks are just that, not publicly accessible. This is the digital equiv. of driving down various streets (publicly accessible addresses) incr
Re: (Score:3)
Would you defend the government for making a system where simply using a street address would allow one access to information (taxes etc.)? How about your Bank? Explain your reasoning, please.
I am not defending AT&T. I think they should be heavily fined and hopefully someone go to jail. I also think that someone who exploited the hole should also be sent to jail and heavily fined. The only people I am defending are the ones who had their information stolen.
Absolutely it does, it's implicit when it's on the web (short for World Wide Web) especially without authentication (doesn't that usually involve username + password?)
There are some authentications that do not use user/password. For example, Paypal Payflow uses a signature which is a single long number that identifies that account and gives authorization for access. It is a single number somewhat like a
Re: (Score:2)
I am not defending AT&T. I think they should be heavily fined and hopefully someone go to jail. I also think that someone who exploited the hole should also be sent to jail and heavily fined. The only people I am defending are the ones who had their information stolen. ... In my view the problem was caused by both Weev and AT&T they both should be prosecuted. What do you think?
Jail I believe should be for violent offenders exclusively, jail time for accessing something, even millions of times is ridiculous. If he obtained protected information (cardholder data, SSNs) maybe, but if it isn't "protected" (say an email, first and last name, type of phone etc.) or doesn't come with any terms, it's fair game and the blame for the boring disclosure resides solely with the company since each request was authenticated by them. We have far too many people in Jail as it is. We're the world
Re: (Score:2)
Re: (Score:2)
Agreed. If more people took the stance of "both are wrong and should be punished" maybe something would happen. The "Weev is innocent" chant just muddies the waters and dilutes any pressure to prosecute AT&T.
Re: (Score:2)
Ok then is it hacking if I open http://facebook.com/Some.Rando... [facebook.com]
what makes it hacking or not? if theres a direct link on other page?
Re: (Score:2)
So no online banks, credit card companies, etc.
Sure, if your bank is dumb enough I can walk up to a teller and say "hey, my account is 1234 give me all my money" and they do so, no questions asked, and not even asking to see my ID. And then I walk to the next teller and say "hey my account is 1235..."
In that case we're doing the world a favor by banning them from the internet.
Re: (Score:3)
you know holding a gun to someones head in a game of russian roulette.
You're doing it wrong.
Re: (Score:2)
In 1997, MT&T launched RADSL service Mpoweredpc.net(7mbps down, 1.088mbps up $45mo)t; As a customer they gave me a printout of a url for my account information. I modified a few random looking numbers on the URL and sure enough, it was an ID for other customers profiles(could go through them all)!!
The old slip accounts were great for this, there was trust back then you could do a "Who" and see who was online (from that ISP), finger worked, and lots of Unix commands available to work with. I asked why I didn't have that access a few years later and almost laughed at, well we don't allow that anymore.
Even then a web address you could back track into their directories, guess a /address and get lucky, (a few hack sites ever required it). It was easy going, you just can't do that anymore, you can guess a