Here's Ryan Tate, the first writer to cover AT&T's massive iPad data leak, on the "hacking" conviction of Andrew “Weev” Auernheimer for exposing it in the first place: "The scapegoating of Auernheimer is revolting for two reasons. One, it lets AT&T off the hook for exposing sensitive information to public view, shifting the blame onto those who reported the slip-up, and discouraging future disclosure. Two, the jailing of Auernheimer criminalizes the act of fetching openly available data over the web." Previously.

49 Responses to “Exposing public corporate cock-ups is not "hacking"”

  1. Jayce says:

    I dunno, I’m a pretty notorious hacker – I once discovered that my local Starbucks was filling the half and half with regular milk.

  2. oasisob1 says:

    The feds are doing their best to punish and deter hackers, and thus to help protect large corporations, who are basically the most important people in America.

  3. Fogbert says:

    …the jailing of Auernheimer criminalizes the act of fetching openly available data over the web.

    I don’t buy this argument for a minute. If I accidentally leave the front door to my house unlocked, does that mean that it’s okay for someone to come into my house?

    Because you *can* get access to the data does not mean that the data are “openly available over the web” or does it make it okay to do so.

    • oasisob1 says:

      If it’s not any more difficult than typing a URL, then it’s a crime for it to be a crime. Way back in 1997, my friend and I used the same ISP in Spain, which provided web-based access to upload your own website. My friend noticed that once you created a sub-folder, it basically let you navigate ‘up’ to the complete list of user folders, then ‘down’ into any user folder you liked… with full rwx access. Many oldschool lols were to be had the day I looked at my site and found the whole thing to be surrounded by blink tags. Should he spend 4 years in jail for it? I don’t think so.

      • Fogbert says:

        By this logic, it would be completely okay for someone to wipe out my bank account just because they could do it with a few key strokes?

        Don’t get me wrong. I do not feel that the punishment here is at all suitable. I just don’t feel that it’s fair to grant a free pass either.

        • oasisob1 says:

          The difference here is that stealing your money, or making it vanish would be a crime however you managed it.

        • Frederik says:

          Except ofcourse that all of those things are different crimes and should be treated as such. He diden’t walk into a house to steal property, he diden’t wipe bank accounts.

          He copied data from an insecure database, not with maliciouse intent but to expose the flaw.
          Change the crime to something else is a rather flawed line of reasoning.

        • ocschwar says:

           There’s a whole range of options for punishing Weev that don’t involve imprisoning him for longer than the Steubenville rapists.

          • Boundegar says:

            Yes but they were fine upstanding young men with their whole future ahead of them, while weev is a DFH, and he has a beard.

      • dragonfrog says:

        Maybe not 4 years in jail, but I don’t think a fine and a hundred hours or so community service would have been out of place.  Vandalizing something just because there’s no fence around it isn’t alright.

        • Gari Deb says:

           Would you rather a security flaw be exposed by a hacker who is trying to draw attention to a potential risk, or people go “uh-oh, I could get in trouble for that, better leave it alone” and only gangsters, foreign spies, terrorists, malicious kids etc. etc. take advantage of the security flaw?

          If my front door was unlocked and open and I saw some kid standing in my front room going “wahh whahh wahh you left your door unlocked!” I’d be happier than finding a burger with a knife, you know?

          • Peter says:

             I don’t know, if I left my door open and somebody dropped by with a burger and a knife, I’d be pretty pleased.

            Unless the burger’s tough, and that’s why you need the knife?

            Then I wouldn’t be so pleased.

            (Yeah, it’s obvious what you meant, and I agree, I’m just having fun)

          • dragonfrog says:

            Check the comment I’m replying to – it’s specific to the example of someone defacing websites for lulz, just because the shared hosting provided didn’t properly isolate user content.

            This isn’t a hacker reading a file, maybe adding an HTML comment (not rendered in the browser) to confirm the ability to write, maybe getting permission from a fellow service user to do a demo hack on their site, and in any case contacting the service provider so they can fix the problem.

        • lishevita says:

          He didn’t vandalize it. Vandalism involves some sort of destruction or defacement. 

          What he did was equivalent to writing a web spider that uses the way that web server software is written to go find all the web pages on a server and then index them. That’s not illegal. It’s just using the software the way it was written. He didn’t destroy anything. He wrote a script that used the software that AT&T wrote. 

          • dragonfrog says:

            See above – follow the whole thread.  The comment you reply to, is itself in reply to a comment, and the actions I refer to as vandalism are the ones described in that comment (and done by someone else, not Weev). 

    • insert says:

      The internet is not a dump truck; web servers are not doors. 
      A web server is a machine that’s set up to respond to requests; it’s kind of like a bank teller. AT&T, because they’re incompetent, set up their web server so that, when it received a serial number in a request, to respond with a phone number. That can’t have happened by itself; AT&T had to consciously set up the web server, consciously connect it with a database of phone numbers and consciously tell the server to respond the way it did. 

      The “door” metaphor is inaccurate; it probably applies better to a SQL injection attack. 

      A better metaphor is walking up to a bank teller, saying “Hi, what’s Cory Doctorow’s bank balance?”, then asking “What’s Rob Beschizza’s?” etc. It’s not your fault that the bank “configured” its employees to disclose private facts to anyone who asks.

    • dragonfrog says:

      Copying is not theft, etc. etc.

      A more apt analogy – if you leave your curtains open and light on at night, does that mean it is okay for someone to look in your window from a place they are allowed to be (not jumping your fence and putting a ladder to your wall to get a better view)?

      The answer to that one is, yes – and if you are going around naked in those circumstances, those who see you will not be charged as peeping toms, but you may be charged with indecent exposure.

    • The Gaf says:

      No, but its not a crime for someone to ring your doorbell and let you know it is unlocked.

      • Fogbert says:

        Fair enough, but it goes beyond that. It’s like he opened the door and walked inside 100,000 times.

        • EH says:

          So where do you draw the line in your analogy? How many times is too many?

          • Fogbert says:

            Honestly?  Once.

            He didn’t have a legitimate reason to spoof the website and, just because it’s possible, isn’t a good enough reason.

          • Daemonworks says:

             Besides, he didn’t just walk in, he walked in and rummaged through your underwear drawer, then went around the neighbourhood telling folks what he found there.

            I’d say the sentencing is a little excessive, especially in light of the fact that raping a drunk girl, filming it and putting the video online gets you a year and tons of sympathy from the media.

    • Nimdae says:

      This is not the same thing at all.

      If you leave your curtains drawn and decide to get undressed and someone sees you, that person is not violating any laws. In fact, if that someone were a police officer, he could fine you for public indecency or something similar. In the case of AT&T, they should have received some punishment for violations of their own privacy agreements with their customers.

      In this case, however, a person looked in, went to let them know the window was open, and was charged with rape. Well, except he’s getting a harsher punishment than rapists, apparently.

    • EH says:

      Where is the private property line of a website? What constitutes the curtilage of a website?

    • Cowicide says:

      By your logic, it should be a crime to look into a storefront window as you pass by and inform others you noticed a fire and/or dangerous structural issues inside.

  4. Ethan says:

    Perhaps one of the lessons is that if your goal is to be a white-hat hacker & expose (as opposed to exploit) security weakness, perhaps you should just poke at the problem (e.g., access a few email addresses by way of example) as opposed to wholesale slurping (e.g., accessing 100,000 email addresses).

    • dragonfrog says:

      Nope, nope, and nope.  I can’t come up with a better example than Karl J. Smith posted above, but given half an hour I could probably come up with similar ones.

      Seriously, read in full the link Karl posted, it’s very though-provoking.

    • Ethan says:

      I hadn’t meant to imply that Weev would have a get-out-of-jail-free card if he hadn’t gathered 100k names. Sure, if a law applies to doing it 100k times, then clearly it also applies to doing it 1 time. However, at least for me there is a difference. I have a lot more sympathy for Brad Hill and would easily believe he had the best of motives. With Weev, I can’t fault someone for wondering if perhaps there was some reason why he went to the effort of collecting so much data.

      • dragonfrog says:

        It’s not even really comparable – Brad Hill didn’t even do a dubious thing 1 time.  The thing that Weev did – obtaining information he probably shouldn’t have had – Brad did exactly 0 times.  And still he was threatened with crushing legal action.

        • Ethan says:

          Hmm… Brad wasn’t prosecuted. Do you think he might have been if he used the security flaw 100,000 times?

          • dragonfrog says:

            He didn’t even use a security flaw.  He notified the operators of a website, that their website configuration was incompatible with browsers configured to behave securely.  That is all he did.

            Just for that, the DHS investigated him for hacking.  That is clearly a ridiculous overreach.

            In conclusion:  R.  T.  F.  A.

          • Ethan says:

            Setting aside the joy of nitpicking, do you really think there wouldn’t have been a difference in whether the prosecution moved forward or the severity of the sentence if Weev had only accessed one email address?

  5. signsofrain says:

    Prosecution maintains that Weev publicly disclosed the vulnerability before informing AT&T about it, and that there are IRC chat logs proving that Weev and his buddy did the job to make AT&T look bad and improve their own reputations.
    Weev said on Twitter that he gave AT&T a chance to respond before disclosure.

    So what exactly happened? Why convict if Weev, provably, informed AT&T of the problem before releasing anything about it? And does Weev’s intent matter if he properly informed AT&T?

    Jailing someone for HTTP GETs is ridiculous. URL ‘hacking’ can be done accidentally by noobs. Jailing someone for publicly releasing sensitive personal information or a security vulnerability before AT&T had a chance to patch it is not so ridiculous. 

    • Gilbert Wham says:

      The point is, large companies have a well-earned reputation for not giving a fuck about security breaches when ‘little people’ tug on their coatsleeves and tell them about it. Because it would hurt their bottom line to fix it, and it doesn’t need fixed cos nothing bad’s happened, right? That really, really is how they think. And then someone embarrasses them and hurts their bottom line and they go into full attack mode. Because… actually, I don’t know why because.

      • signsofrain says:

        I agree completely. What I am asking is, in Weev’s case, did he really give AT&T the chance to fix the problem before going public with it? If he didn’t at least give that cursory tug on the sleeve, he was wrong to release anything. I have NO problem with security vulnerabilities being released if they’re reported to the company and the company ignores it first. I do have a problem with active vulnerabilities being released on the internet where real evil-doers can get at them without a chance for the vulnerability to be addressed first. 

        Weev said he told AT&T about it, AT&T (and presumably the court that convicted Weev?) say he didn’t. 

        In one case, I’d disagree with the conviction, in the other I wouldn’t. I’m willing to believe that Weev did the right thing, but I find it just as easy to believe that he’d stick it to AT&T for the fun of it. I can’t find evidence either way, only contradictory information in news articles. I’m just curious if anyone out there can claim to know the real story. 

  6. danegeld says:

    I think it sets a bad precedent. I’ve occasionally written scripts that pull files off websites by enumerating URLs, which is the same thing that Aaron Schwartz did. Fortunately I picked people who don’t monitor their traffic too closely. I think the bar for criminal prosecution needs to be raised somewhat. AT&T are responsible for securing the data they process, and their lapse has gone unpunished. Perhaps a civil suit could be filed against URL hackers to recover expenses dealing with the fallout, but jail time and a criminal record seems disproportionate.

  7. SomeGuyNamedMark says:

    Nothing new here.  So AT&T messes up and gets mad at the person who pointed it out.  Blaming the accuser for catching them doing something bad is something people learn to do as kids.

  8. danegeld says:

    What about the 4th amendment? If the data is visible from a public place on the internet, does AT&T have any reasonable expectation of privacy?

  9. Boundegar says:

    Yknow, if I had the Secret Key to the Internet, I don’t think I would tell anybody.  I would try it out behind 47 layers of proxies and crypto-thingamajigs, and if it was for real I would have a long hard think. Will I use this gizmo to rob banks?  Will I disclose it to somebody who can patch it?  Or will I post it on 4chan and say, “Have at it, boys!”

    But regardless, I would be very very careful about leaving clues to my identity.  I do not wish to be a celebrity, especially the kind behind bars.

  10. Brad Bell says:

    Gosh. It makes me reconsider my actions ‘hacking’ around ft.com’s paywall. I was, however, careful not to tell anyone else how to do it. I’m not a hacker. It’s something my mom could do. (She’s nearly 80 and thinks Facebook is the internet.)  For the record, I didn’t actually do the ‘hacking.’ A giant US mega-corporation did the hacking (for profit), I simply took advantage of it to ‘steal’ the FT content and store it in memory. I have not profited from the knowledge I’ve gained – just become more depressed.

    Note: this is a true anecdote that is phrased to make it sound criminal and intended as an ironic parallel. If it were criminal we’d have to ban search engines.

Leave a Reply