Weev sentenced to 41 months for exposing AT&T security flaw

Andrew 'weev' Auernheimer was sentenced today to 41 months in prison for figuring out a security flaw in AT&T's website, writes Matt Brian. The "hack", which exposed iPad users' email addresses, involved entering serial numbers into a publicly-accessible web form. While one journalist lamented that prosecutors "admitted they didn't understand computers", court documents also showed that Auernheimer had entertained the idea of using the info for a phishing trip. He also said stupid things on Reddit last night to encourage maximal outcomes, as is his wont. [Verge]


  1. Reading the coverage (including the reddit AMA), the impression I get is that the sentence he’s been handed is based on one part actual malfeasance, one part of “we don’t really understand computers or the Internet”, and one part of “seriously, this guy’s an asshole”.

    I don’t believe it’s the responsibility of the government to punish someone for being an asshole. If it is, then they’ve been seriously neglecting their duties lately and they have a lot of catching up to do.

    1. If ever there was a place to put a cap on being an asshole – it’s in court.  Judges seem to hate with a capital H anything that would make them appear to be less than impartial. 

      Whether or not the judge is right or wrong on that doesn’t matter. Making a show of acting like an ass is only going to come off poorly.

    2. I don’t see why so much is being made of the prosecutor’s computer literacy.  It’s as if he is of lower social class for not knowing how a DNS server works.  Yet nobody remarks on how little the hacker seems to know about law.

      Well – except the judge.

  2. I’m equally amazed at the duration of the sentence as I am at the idea of financial restitution — he’s expected to pay to notify AT&T customers that they had a website that publishes email addresses, as if it’s the yellow pages.  He basically used a reverse phone lookup website.

    It would be nice if someone, like the EFF, went after AT&T in a Class Action lawsuit for “consumer rights”.

    1. I agree… I’m waiting for AT&T to be prosecuted for improper security protocols. Some level of the blame should fall in the lap of AT&T for being so fucking inept.

  3. He released user information to Gawker claiming to have warned AT&T about the vulnerability, when it turned out he hadn’t. He also talked about using the data for future phishing activities.

    Read his Reddit AMA he did last night for some context about what a tool this guy is.  http://www.reddit.com/r/IAmA/comments/1ahkgc/i_am_weev_i_may_be_going_to_prison_under_the/

    He’s no Aaron, that’s for sure.

    He did nothing that a moral, professional “hacker” or security professional would do, and are still doing.

    Does he warrant such a long jail term?  I don’t know, but it seems to me that he was literally asking for it.

    I feel no sorrow for the guy.

  4. It couldn’t’ve happened to a nicer wannabe-rapist scumbag troll waste of skin.

    Why does BoingBoing ever run articles about this guy without mentioning that whole rape-threats thing? It’s like you *want* people to think he’s the good guy.

  5. Google’s web crawler is more aggressive than Weev.  Appeal.

    It is long overdue to start repealing these bad cyber laws.

  6. Yesterday I subscribed to an Australian Federal Government job search web site and practically every form I filled in had a check box which I had to tick to indicate that I had agreed to a bunch of security requirements which added up to me saying that I would not make up my own URLs, and only use the ones provided by the server.

    1. That seems like a short sighted way of looking at this. I don’t disagree that perhaps this guy was scum that deserved jail time… but if you send him there for doing something that is innocuous then it sets a precedent .. and law is one of the areas where that sort of thing matters… http://en.wikipedia.org/wiki/Precedent

      1. The precdent here is if you act in a disrespectful manner in court, to the point that you are insulting the judge and even refusing to listen.. and then you go on Reddit and make a fool of yourself (which the judge CAN use as trial material, because “anything you say can and will be used against you” ) , you will go to jail for a lot longer than if you didn’t go on Reddit and cause shit.

        Seriously, his lawyer is an idiot.  The first rule a lawyer will tell you when you are accused is, “Do NOT talk about the case to anyone.  ANYTHING you say can be used in court.”   Weev has talked himself right into his sentence. 

          1. Then he deserves exactly what he gets.  The lawyers are put there to protect our rights in this system.  If you ignore them, then you are ignoring your advocate for justice, and the other side is definitely bringing THEIRS.  

            They got Al Capone on Tax Evasion.    They got Weev on this.  Both are bad guys who went to jail for something completely unconnected to why they SHOULD be going to jail.    

            I’ll fight against the law, because it’s vague.. but he could have just had the 7 months and we’d still be fighting for the law.  He intentionally chose to be a troll , because he doesn’t know how to NOT be a dick, and it added 34 months on the end of what the prosecutors wanted.   I don’t consider that a hero, I consider that rank stupidity.

            This man is no Aaron Swartz.

          2. Yeah sure; but, let’s not conflate the issues.
            The difference between Capone’s tax evasion and this is that tax evasion should be illegal, and was a crime already… altering a URL wasn’t and shouldn’t be.So yeah, I have no sympathy for Weev or whoever he is… he can rot in hell for helping to set a bad precedent if nothing else… but one would hope the system could see past one guy being a dick and deserving it, and the actual “crime” he is charged with… which is what I think people are worried about.At least that is what I was talking about – the problem with charging someone with a made up “crime” just because they are a dick, is it could affect others who might not be dicks.

      2. This may be Weev’s longest-lasting and most devastating crime, and the irony is that it may be the only one he didn’t do on purpose, the only one that he would actually regret if he was smart enough to understand it.

        Ten minutes on Google is enough to leave no doubt that this is a man who deserves to be in prison. For the good of society he needs to be removed from it. I don’t give a shit whether or not he did this particular thing. I’m just happy he’s going away.

        And that’s a problem, isn’t it? Weev makes reasonable people applaud (possibly) unjust laws as long as they can be used against him. In the end, he’s just another tool of the police state. That’s irony.

        1. It’s unjust according to him. And he’s a known liar. It’s psychopaths like him who act as victims of the system who hurt the actual victims.

  7. The law may be horrible and stupid and mean, but he clearly did break it.

    Just because something is insecure doesn’t mean you have permission to access it.  This guy was fully aware he was taking data which was not his.  You don’t get to come on my property just because I have no fence and you don’t get to come into my house because the door doesnt work.

    This physical metaphor is how cybersecurity is currently interpreted. I think its very silly.  However, he did break the law.  

    I once broke the law and had to go to a special class to atone for my sins.  The guy running it said “You may think the law is stupid, and I might agree with you.  Run for congress and change it, hell I’d vote for you.  As of now though it’s against the law and its pretty silly to give up your freedom or your livelihood for something as silly as…[in my case it was pot, but in this case its lulz].”

    He decided the lulz were worth jail time.  I suspect he will regret that choice.

      1. Just because someone else got an unreasonably light sentence doesn’t mean his is unreasonably heavy.

          1. He gave no indication that he took the matter seriously, at all. Even if he thought the charge was bullshit, he should have taken the process seriously and shown the court some respect. Hell, it’s not the judge’s fault he was on trial.

            Judges see someone blowing off their case and they read that as “likely to reoffend”, which they deal with through the only tool at hand: a harsher sentence.

          2. He not only was viewed as likely to reoffend, he said in a reddit AMA that WHEN HE DOES THIS AGAIN, HE’LL GO FOR MAX DAMAGE instead of trying to be nice.  (And documents showed later that he never even contacted AT&T.)     

            What’s a judge going to think when they see at your sentencing “Yes, I did it, and I’m going to do it worse next time” 

      2. So part of it is their minor status. The other part is that sentencing actually takes into consideration the likelihood of the convicted to repeat offend. Yeah. This is justice.

    1.  He clearly broke no law at all.  There was no security mechanism in place at all.  That’s provable.  Enumeration of variables in an HTTP GET request is a supported use of the protocol.

      What mechanism was in place to be bypassed?  Tell me.  I am intimately familiar with the events that occurred.  I can tell you for a fact there was no security mechanism in place on AT&Ts side.  They published their customers data to the internet WITHOUT any security mechanisms at all.  None.

      Prove that it was more than GET requests with enumeration of a variable.  You can’t.  You are wrong.  He broke NONE of the laws he was convicted of.  That is beyond doubt.

      1. So if you leave your door unlocked, you’re okay with me walking in and taking all your stuff, right? After all, there’s no security mechanism in place, so I’m not breaking the law.

        1.  In this case the analogy would be… if you plastered your customers financial data on a bill board and I copied down what I saw on a billboard you set up in the middle of time square.

          In which case… NO THAT’S NOT ILLEGAL. 

          1. Yes but that’s not what happened. Weev didn’t just write down info which was publicly displayed. He purposefully queried a database by pretending to be someone he was not with the direct intent of obtaining other people’s personal information.

            I agree its fairly silly that this kind of this is as illegal as it is, but I do think it is actually illegal.

            There aren’t any open questions of fact or law I can see here. Whether the law is good or not is a completely separate issue.

          2.  See my below comment.  An enumerated variable is not a personal identifier.  HTML and HTTP are both public standards.  It’s very explicit in defining them as NOT being identities.  You don’t get to change publicly standardized protocols because you are butt hurt you implemented technology wrong. 

      2. Currently the law does not require a security mechanism to be in place.  If you take a wallet you find on the ground you are at that moment guilty of theft.  There are a few cases of the NYPD setting up stings in subway stations and arresting people who were just looking for ID so they could return it.  I think its kinda silly, but thats how it is.

        This is not the case of him breaking the law in protest.  He did it for the lulz and for the notoriety.

        Once I was in another country and checked my ATM balance and it said I had some $100k in my account.  I asked a friend I was travelling with who was a lawyer if I could just withdraw this money.  She said “Of course not!”  The reason being IT WAS NOT MY MONEY.  Theft is when you take something that is not yours.  It does not matter if it comes into your hands by someone else’s mistake.  When you take something that’s not yours its theft.  It might be excusable in some cases if you didn’t know it wasn’t yours, but you cannot take advantage of security lapses.Can you imagine what society would be like if what you said was true? If it was just OK to take possession of any unguarded object?  It would be chaos!

        If you did find a lot of money on the street, what you can do is turn it into the police, they will hold it for some 30-60 days, and if its unclaimed after that time you can have it.  

        But you don’t get to just have things because they are not protected.

        1. Let me explain to you an analog similar to above but different.  The public access server at&t setup broadcasted information when you pressed a button.  You press a button and it screams out people’s data.  The buttons are there.  In public.  In the middle of a public space.  Guy comes up.  Starts pressing random buttons on the this device.  It starts spitting out data.  He starts video taping himself do this on a cell phone.

          This wasn’t a wallet. This wasn’t someones personal private data. AT&T put this data in the public. They built an system DESIGNED explicitly to put this data in the public.

          That’s not a crime.  That’s called AT&T publicly broadcasting their customers data.

          1. Maybe, but that’s not what this guy did is it?

            You’re describing a situation where a website sends out private data to people who didn’t ask for it.

            This is not what Weev was doing, and its not how the site worked.  He analyzed how the webform worked and got it to give him information it would not under expected use give him.  The data was not his and he knew it was not his.  He was NOT randomly pressing a button.  What he did was not doable by a non-expert.  He didnt just press a button and accidentally get data.  He analyzed the system, found a security exploit, and took advantage of it.  
            A better analogy would be that he went to a public place where there was a locked door.  The door lock just asks people who they are and if they are someone allowed it lets them in.  Weev lied about who he was to gain access.  The data was not given to him, he had to get it out actively and through ingenuity.

            There have been cases where companies mistakenly email out personal data to the wrong people.  The people who recieve these emails did not commit a crime and have never been charged.  If you got someone’s SSN this way though and used to to get a credit card in someone else’s name though, YOU WOULD BE GUILTY OF FRAUD.

            The charge of fraud in this case represents Weev pretending to be someone else to get at their data.  If you local DMV had weak security and you could get a drivers license by simply saying you are someone else and getting an ID in their name, it would be illegal to do so EVEN THOUGH THEY GAVE IT TO YOU.  Fraud is when you misrepresent yourself to gain access to things which you yourself do not have permission to get.The site (in its way) asked people who they were and in response gave out information.  Weev told it he was someone else and got that info.What if you had a crappy email password and I guessed it, is that ok?  Should the legal burden be on people to protect property or should it be on people to NOT TAKE WHAT IS NOT THEIRS?You see, to have a view that because Weev was smart and ATT was dumb, that he should be able to take things with no consequence   Thankfully this is not how the legal system works.

            As for the economic system, that’s a different story.

          2.  I disagree completely with your assessment.

            Here’s the why.  “expected use” is already predefined by both HTTP and HTML standards NOT by AT&T.

            By configuring their http servers to identify as supporting HTTP specs, and configuring their web content to support HTML specs.  They adopted a uniform and standardized set of expectations in terms of interactions from clients.

            Everything weev did was well within expected client activity for these standardized protocols and markup languages.

            In short, if AT&T didn’t expect this… they didn’t understand the tools they were using, or the protocols they were supporting actively.

            I can’t make an guess as to what was going through the mind of AT&T.  But I can tell you beyond a shadow of doubt that their code specifically claimed to support publicly standardized protocols and markups that clearly and explicitly stated that they could expect the actions that weev took.

            If they had not intended to support the full HTTP and HTML specs they could have chosen to not do so.  They didn’t.  They clearly announced HTML and HTTP support.

            There’s just no way around that.

            An enumerated variable in an http get request is not an ID or authentication mechanism under http 1.x/2.x .  The form field they chose is not an authentication method in html4 or 5.

            PERIOD.  This shit is explicitly standardized.  This is documented so that every developer and implementer knows what is and is not what.

            You can’t make a claim of identity being falsefied if AT&T implemented using a public spec that clearly identified their enumerated variable as not being authentication related.

            It’s not logical.

            It’s in fact logically PROVABLY false.

  8. This page of comments disappointed me greatly.

    I would have hoped that those who hate this guy (whom I know nothing about) would wish for him to be punished for one of the many douchey things you allege he has done (threatening rape) instead of this one that will potentially impact legitimate security research in the future and which implies it’s OK for big companies who hold data on us to rely on security by obfuscation (which is basically worthless) to keep our information private.

    Such short-sightedness doesn’t usually abound on BB like it seems to have here. As I said… I don’t know or care about the guy but to be indifferent about seeing him suffer for one thing because you don’t like him for another is completely immature and pathetic.

    1. This does not impact legitimate security research at all, which is why many legitimate security researchers are actually quite thrilled he’s going down.   This was a guy who only set up all his “I’m a legitimate security researcher” after he got caught , arrested, and indicted.  Before that,  he was just using that tag as part of his troll group, GNAA and other groups.  

      Legitimate security researchers know contacts at companies that they are pen-testing for, and legitimate security researchers are really actually quite glad that this idiot is out of the pool, because he was crapping all over it.

      1.  That’s patently untrue and an indefensible assertion.  Explain the EFFs involvement.  The talks at shmoocon and other events around the world.  And the public shows of support from pretty much every single area of the infosec industry.

    2. Nice of you to try to soft-pedal it, but he’s bragged about threatening rape. This isn’t something that mean ol’ internet people are trying to pin on him.

      Bear in mind, also, that Weev is completely lying when he says he gave AT&T a chance to fix the hole. He stole* a bunch of data and then mailed it all to Gawker. Better than selling it to the Russians, I suppose, but Weev is in no way a white hat here.

      *If you accidentally leave your door unlocked, and I walk in and take a bunch of your stuff, that’s stealing. Don’t try to pretend that bad security is an excuse for theft. Now, if I walk in, say “hm, this guy needs to lock his door” and leave you a note to that effect, that should be protected. But it ain’t what Weev did.

      1. No soft-pedaling here.. as I said I don’t really know anything or care about the guy himself.. but you comment still doesn’t sway me. Bragging about threatening rape is also douchey but even less illegal than threatening rape.

        I also don’t care that there are non-white hats (his actions could not be classified as black-hat) out there stealing private data from companies that have the resources and know-how to prevent that. Those real dangers are the very reason that big companies should care about security. We’re paying them millions to be inept now?

        I’m sure the hole is fixed as a result of sending them to gawker and had he just told AT&T their stuff was broken then I’m sure this story would not have garnered the same negative PR that AT&T deserves for being so careless with their customers’ private information.

  9. Wait, you think rape threats are legal?

    Heh. I suppose this is where people like Weev come from, then, isn’t it? Him and the Steubenville rapists.

Comments are closed.