Twelve months ago on this very site it was discussed how a private company named Path was, without permission and certainly illegally, stealing the entire address books of users and uploading it to their own servers. The CEO of that company appeared right here on this board personally (not surprising he follows this board as he has invested in YCombinator projects [http://www.forbes.com/sites/nicoleperlroth/2011/08/25/yc-com...] ) and not only defended his actions but justified them, proud of the fine work of data theft he engaged in. [https://news.ycombinator.com/item?id=3563368] He also said in a comment on his blog that these actions of stealing entire address books was a common practice in industry: "This is currently the industry best practice" [https://news.ycombinator.com/item?id=3563639]. And in fact it turned out that companies as large as Twitter were also engaging in the same type and manner of data theft [http://articles.latimes.com/2012/feb/14/business/la-fi-tn-tw...].
At that time some HN members, possibly some of the same ones here attacking this hacker (perhaps with good reason), defended the data-theft-for-profit actions of these companies.
These two positions are not consistent. People may wish to pick a side of this issue and stick to their position if they wish to be taken seriously, or frame a coherent argument why it is acceptable for corporations to engage in data theft from individuals but the reverse should be severely punished with prison time and other penalties.
Those who genuinely believe that weev should be prosecuted and imprisoned for his actions may wish to consider if the same call should be made for criminal proceedings against the larger scale and more clearly profit driven data theft actions taken by large and well funded companies such as Twitter, Path, Facebook, Apple, and many others.
Yes, weev is an ass. I personally believe that, at some point, he probably has done something worth jail time. But this isn't it, and neither is being one of the worst trolls on the Internet.
If anyone thinks weev deserves any sympathy, you don't know the full story. weev had malicious intent and wanted to harm AT&T by exposing users data. Instead of doing anything remotely rational he took all the data and wanted to sell it.
Laws take into account indent (mens rea) and there is a lot of evidence in his indictment that he wanted to profit off this act. He shouldn't be compared to Aaron Swartz
I know weev personally. He's "an unsympathetic defendant", and probably the 9th level Internet Troll, but his goal was fundamentally speech -- he wanted to draw a lot of attention to the issue, and embarrass ATT (hopefully enough that they'd stop being such fuckups about security), etc.
He wasn't trying to profit from this. If that had been his goal, he would have been a lot more stealthy.
It's arguable that he had "cleaner" motives in his act than aaronsw -- some people say aaronsw wanted to release all the files he recovered to the Internet (although there's no proof of that); weev just wanted ATT to suck less.
weev has said things far worse than what's alleged in this case (that they wanted to compile a list and direct market the users); yet, if you judge him by what he's actually done, he's just an asshole at times, but basically reasonable. Fortunately just being an ass isn't a federal crime (although I guess conspiracy to be an ass is).
Being an "an unsympathetic defendant" frankly makes it even more important to support him. One of the worst things with these out of proportion indictments/sentences is that they leave too much room for other factors, which can turn into things like political repression.
So he committed a crime and wrote words that characterize the intent behind crime in such a way as to increase prosecutorial interest and sentencing. Now you are saying he was just joking around when he said those things?
Perhaps it's true, but it's stupid and it's hard for me imagine anyone taking that explanation seriously, certainly prosecutors and judges.
If you walk into a bank with a gun and ask the teller for money, then say "just kidding", .... Good luck.
Yeah but prison time, followed by secret service, not allowed to use computers, not allowed to take jobs... for what, compiling a list of email addresses that an public API was happily returning to him? Despite his questionable handling of the situation, I don't support that kind of draconian punishment.
Agreed - I can despise his behavior, and how he handled this situation, but at the same time say what he did should not be considered a felony, and, based on what I read on the ArsTechnica article, it's not even clear if I feel like it's criminal.
"That guy got life in prison all for moving a knife about two feet in a certain direction! The system is corrupt!"
I wish people could be a little more honest in the way they describe computer crimes. He knew or should have known that that api was not meant for public use. He is being punished for using it despite this knowledge.
Seriously? That you actually believe his punishment fits the crime is incredibly saddening. If even the top voted comment on a site that understands the issue believes the punishment is appropriate, imagine the discussion in a law firm or in parliament. Anybody in the USA touching a computer will be in trouble soon. Can't wait for the next batch of laws.
Punishing people for purposefully disclosing private information that is clearly not intended to be public is the path to "everyone touching a computer will be in trouble soon?" You act as if he was just playing around on his own computer minding his own business when the big bad government broke his door down.
Don't act so surprised and imposed upon that a culture that very much respects fences sees something wrong with intentionally poking your nose where it doesn't belong, online or offline.
I don't approve of his motives or actions either, but still, it seems that spending years in jail is a disproportionate punishment for the amount of harm he may have caused AT&T or its customers. This article says that they had second thoughts about how smart their plans actually were and ended up deleting the data rather than selling it to anybody. And it's doubtful that their actions had any lasting effect on the stock price of AT&T - data leaks are a fairly frequent occurrence among large corporations.
The intent is immaterial if the actions are not against the law.
If accessing published information (and incrementing a number in an url cannot be considered breaking in ...) is against the law, there is something terribly wrong with the law.
That said if he tried to use the data to extort money from AT&T that would of course be a criminal offense (even if the "intent" was robinhoodian).
To illustrate with an analogy:
If someone takes a picture of a hapless drunk girl dancing topless in a bar (AT&T), that is not criminal.
If this person approaches the girl and asks for money to delete the incriminating pictures, that is extortion.
If the person sells the picture to an interested third party, this might constitute the case for a civil lawsuit (see the texxxan case...)
In any case no special laws are needed for judging behaviour in the virtual world.
There is no indication he wanted to sell it. He wanted to embarrass AT&T, and that isn't a crime. Changing the number in a URL is not identity fraud.
This is exactly the same thing that was thrown at Aaron, even if you don't find the target as sympathetic.
"He that would make his own liberty secure, must guard even his enemy from oppression; for if he violates this duty, he establishes a precedent that will reach to himself." -Thomas Paine
That does not appear to be true. From the Ars Technica article on the case:
"Auernheimer then helped Spitler refine his script to harvest a large number of valid e-mail addresses of iPad 3G users, suggesting that a huge data set would be needed to "direct market iPad accessories" or start a "future massive phishing operation," noting that the data breach would be "huge media news."
Yeah yeah. He should "man up" or something like that. Those bastard hackers, self declared trolls, activists and stuff...
Do you guys always know the full story behind the news and comment accordingly? If you do based on the articles you read around, I want to remind you that in Aaron's case what you could read about the case was less than half the truth and there are still things we're not sure.
Unless you know something everyone else doesn't then what is published about the Schwarz case is on the record and in the books. So you're saying that the prosecutors were correct in the charges they brought?
Absolutely not, he should have checked with a lawyer first about how to accomplish his objectives within the framework of the law. Then he would not be in jail but instead making lots of money.
It's really not that hard to compile a list of email addresses from a public API in a way that doesn't violate the law.
People that describe themselves as trolls are generally bigoted idiots and I feel no sympathy. I'm sorry if that's a stereotype but I can't help myself, the internet hasn't been nice to me.
Whether they're bigoted or idiotic shouldn't affect how the law affects them, though. If the person committing this crime was a nice, inoffensive guy, would the law remain justified?
May we see some proof of the full story. There's nothing to that effect in the IRC logs other than some jokes about how the data is valuable and how they could sell iPad accessories. As if. What did he do? Wrote a bunch of journalists to get press and then deleted the data.
When you hear of horrible stores like that of Aaron Swartz and the author of this insightful article Andrew Auernheimer it really paints a picture of just how afraid the US government is of the Internet. People lament China for their great firewall and control over its people and yet the US is starting to look more and more like China everyday. This is how revolts against governments start, absurd laws and persecution of innocent people which eventually pushes people over the edge and if they don't kill themselves they uprise and society gets thrown into disarray which only results in more oppressive laws and absurd persecution, it's a horrible cycle.
All this guy did was exploit publicly available information. It seems the US is now sending people to jail for pointing out other peoples stupidity. Sure he probably went too far with the whole, "I want to embarrass AT&T thing" but trolling is not hacking and it's not like Andrew had to bypass any form of security to get the info in the first place.
Anyone would swear this guy found a way to steal credit card details...
It doesn't need to paint the whole story. If the dude committed any overly serious crime, he'd still be in custody right now awaiting sentencing. They don't let you out on bail if you're a serious offender. I'm sure there is more than meets the eye here, but given the the spotlight being shined upon hacking cases like this of late, it's not hard to believe that what this guy says isn't what went down. Andrew was obviously a troll in every sense of the word, reckless and irresponsible but by no means did he have to bypass any security measures to get the email addresses. I would argue it's the equivalent of a bank leaving it's doors unlocked, alarm systems deactivated and lights on and someone walking in and taking money, then the bank complaining they got robbed, but this situation is blown way out of proportion and a metaphor like that would be over the top.
What he did is no different to someone writing a script that scours the web looking for email addresses (a tactic spammers have used and gotten away with for years), except no trickery was required to get the addresses AT&T were handing them over unknowingly without recourse. This can't even be considered a hack, more of an exploit if anything.
The stupidity of wanting to embarrass was no doubt a really stupid move to make, but definitely not some security defying hack. People shouldn't be jailed for acting like idiots, AT&T should be the ones being scalded for allowing this to happen in the first place. A company has a responsibility to keep customer data safe, AT&T should be no exception to that rule.
What he did was no different than turning the doorknob of an unlocked door, then getting accused of "breaking and entering". Not even a "Keep Out" sign posted anywhere.
In most cases in the U.S., that would still be considered a crime.
Edit to add: The law is structured this way for a very specific reason--to account for human error. What if I always lock my front door, but this morning I was in a hurry and forgot? Should I give up all rights of private property because of this error? Obviously not, which is why someone walking into my house through my unlocked door would still be a crime (trespassing, at least). If they took anything, it would still be stealing--even though one could argue that if I "really" didn't want anyone to take my stuff, I would have locked my door.
We all know how hard it is to properly write totally secure web services. We read about the failures every day. The question, then, is similar. Should the rights of people and companies be completely dependent on their ability to write invulnerable code? I would submit that that is not a sustain way for the law to operate.
Note that I'm not addressing weev's case specifically, as I'm not familiar enough with the details. Just addressing the general case.
China is not naturally terrible, China is just in that kind of shithole phase which any country might get into. It's the wrong direction a civilization evolves into.
"On 20 November 2012, Auernheimer was found guilty of one count of identity fraud and one count of conspiracy to access a computer without authorization. Auernheimer tweeted that he would appeal the ruling."
Is the problem that the laws themselves are terrible, or that the laws are being misused by overzealous prosecutors? I mean, if changing a public URL is considered "conspiracy to access a computer without authorization"... Or is this just not the full story, and he really was trying to do some "bad" stuff?
But if not: what can be done to change the law? Is appearing "soft on hacking" such a bad idea that politicians just won't support something better? Or is it really difficult to craft laws that actually do criminalize "bad" activity, without also technically criminalizing innocent activity?
The problem is that there is little consensus on what the boundaries in digital space should mean. Law makers, not without a certain logic, approach things from the principles of private property. Is changing a public URL considered "conspiracy to access a computer without authorization?" Well why would you do it, intentionally? Would you jiggle my door handle to see if that would unlock it? And if it was a crappy lock and jiggling it did unlock it, would it be unauthorized access to my property if you then walked in the door?
There is a line of thinking in the tech community that accessing data you're not supposed to access is only "bad" if you do something "bad" with it. But in meat space, we enforce fences in their own right, whether or not there is any other criminal activity involved. Arguably, doing so makes the larger problem of ensuring that their isn't associated criminal activity more tractable.
Actually, real world example: over the weekend someone stole my phone out of my (unlocked) car while it was parked in my apartment building's garage. Now, let's say he hadn't stolen the phone. Just rifled through the glove box and center console. No harm no foul, right? Of course not. We presume there is no good reason to be looking through someone else's car, even if you fully intend not to take anything.
Now, that doesn't mean we should treat digital boundaries the same as physical ones, but I don't think it's as obvious as some people in the tech community make it out to be that there shouldn't be penalties (of some sort--the magnitude of such penalties is a whole another debate) for intentionally violating digital boundaries, regardless of how well they are protected.
It's not likely that someone would get a long jail sentence for breaking into your car and not taking anything. If they had never committed a crime before, they'd probably get a fine or probation. There are usually monetary thresholds for a crime to be considered "grand theft" (a felony) vs. "petty theft" (a misdemeanor).
I wasn't sure whether this is a spoof or not. Is he serious when he writes - "I did this because I despised people I think are unjustly wealthy and wanted to embarass them. "
That was his admitted rationale - that he was seeking to embarrass people he despised because they were "unjustly wealthy?"
Another question would be is: does harvesting emails embarrass the, in his words, the "unjustly wealthy"? Is it the CEO or one of the board members that is responsible for web server configurations?
Obviously pure speculation (mixed with cynicism) recalling this story of the email harvesting I have no problems imagining a conversation like this occurred:
PR Flack: "Sir, we had a little PR snafu today and millions of email addresses of paying customers were exposed."
CEO: "So what?"
PR Flack: "Well it looks bad sir."
CEO: "Fine, shitcan some 50K a year nerd in one of data centers and then issue a press release indicating how seriously we take customer privacy".
As a person coming from a former Soviet satellite republic, I must say, that the more I read,the less and less difference I see between the countries that are well known for disregarding human rights and the "land of freedom" - the US. The only difference I can think of is that they probably won't shoot you in the broad daylight, like it happens in Russia. But other than that, the image is complete - if you do something the government doesn't like,they can absolutely destroy you. They can put you in prison without a court order, freeze your assets for indefinite amount of time, spy on you, send agents to follow you, deny you the information why they are doing this, and they do threaten journalists to not write about some cases or risk prosecution for violating "national security".
I am honestly sorry for people who live in the US and happen to do something that their government perceives as wrong.
weev still thinks that AT&T 'published' this information.
AT&T had no intention on 'publishing' this information, he abused their system in order to obtain it, then he leaked it.
No weev, you found a bug in their web app, then _YOU_ willfully published other peoples personally identifying information for your own fame and glory.
Unfortunately, someone who's name and details you leaked didn't like that, and called in a favor. The DoJ came after you hard.
Your little tech crunch article chooses to omit crucial facts, and you are riding on the back of AAron Swartz again. You are nothing like AAron.
But they did publish it. Just because they didn't _intend_ to publish it doesn't mean it wasn't published.
Right now the URL I'm looking at has "id=5095821" in it. If I change that to "id=5095822", I'm looking at something else published by Hacker News. But by DoJ standards, I'm "hacking" and have broken the law if HN didn't deliberately publish it.
weev is an ass. But he didn't hack anything.
These cases are trying to set a standard of "security by intent". There is no such thing. It's like my internet banking saying "To access your bank account, please type in your account number. Be careful to get it right or you'll be looking at someone else's account"
Another fairly common example is with facebook where you can access profiles with names, like facebook.com/lessnonymous.1 . I got fairly tempted to check other people in the world with the same name as I have so I incremented the number myself. I am not sure that facebook intended their website to be used that way
He certainly hacked it - but that's not necessarily pejorative. Your average individual couldn't just try entering the number into AT&T - weev had to spoof the user agent, and, make some intelligent guesses as to what valid CCID's would be.
It's not the world's greatest hack, but it certainly was using the system in a manner that I'm certain AT&T did not intend. The IRC logs indicated that they knew what they were doing was likely criminal, and if AT&T discovered them, would "sue" them.
Whereas I'm guessing PG would be fine with you incrementing the number on the HN URL. And I'm pretty certain that's not criminal behavior.
It's important to note, that just because weev was hacking the AT&T site, didn't mean it was a criminal hack. In my mind it barely crosses the line - and he gets punished somewhat, but I'm thinking a week in jail and 30 days community service - not the silly levels that the feds are going to in this case.
lets say you exploit that bug in the internet banking application and you access my account.
Then you start logging into other peoples accounts and copying their address, balance, transaction lists.
Then you publish all this information you have stolen and say "Oh dont use internet bank -- they don't protect your private information"
the bank should have done better to protect that information, granted, but you have also performed an unethical and criminal act by publishing this information.
both the bank and the person that leaked that information should be punished.
Okay, when I find a bug in your web app I will publish it anonymously, widely and embarrassingly for you.
That's because you didn't want to be friendly. You wanted to be hard. You wanted DoJ. Now you will be forced to want class action suit from your customers and bankrupcy.
Responsible disclosure to the vendor is one thing.
Taking the fruits of your exploits and publishing it for glory and a "I leaked all that information because you wouldn't fix it" attitude is quite another.
I would hope that if you discovered a vulnerability in one of my web applications you would contact me first and allow it to be resolved. Might even be lucrative for you.
If you used that vulnerability to steal my database and publish it to the public domain -- when it has no place in the public domain, i would expect the DoJ to hunt you down.
I never said anything about not being friendly.
But if you are playing with peoples identities, their lives, this is not friendly at all.
Ars Technica lost a lot of respect with me yesterday when they stated in the analysis of Mega's security that symmetric encryption is inherently less safe than asymmetric.
Also the quoted article does not appear to show considerable insight on internet security.
Sheer directory traversal should never be considered a criminal act.
Of course if they had followed through with the stock manipulation, this would warrant criminal punishment.
Although of course stock manipulation is only punishable if you're not a bank or hedgefund which is sad.
Readit News
At that time some HN members, possibly some of the same ones here attacking this hacker (perhaps with good reason), defended the data-theft-for-profit actions of these companies.
These two positions are not consistent. People may wish to pick a side of this issue and stick to their position if they wish to be taken seriously, or frame a coherent argument why it is acceptable for corporations to engage in data theft from individuals but the reverse should be severely punished with prison time and other penalties.
Those who genuinely believe that weev should be prosecuted and imprisoned for his actions may wish to consider if the same call should be made for criminal proceedings against the larger scale and more clearly profit driven data theft actions taken by large and well funded companies such as Twitter, Path, Facebook, Apple, and many others.
A lot of people will never speak out against weev because of his scorched earth tactics. His list of enemies is a lot longer than a few Feds.
Dead Comment
Laws take into account indent (mens rea) and there is a lot of evidence in his indictment that he wanted to profit off this act. He shouldn't be compared to Aaron Swartz
He wasn't trying to profit from this. If that had been his goal, he would have been a lot more stealthy.
It's arguable that he had "cleaner" motives in his act than aaronsw -- some people say aaronsw wanted to release all the files he recovered to the Internet (although there's no proof of that); weev just wanted ATT to suck less.
weev has said things far worse than what's alleged in this case (that they wanted to compile a list and direct market the users); yet, if you judge him by what he's actually done, he's just an asshole at times, but basically reasonable. Fortunately just being an ass isn't a federal crime (although I guess conspiracy to be an ass is).
Perhaps it's true, but it's stupid and it's hard for me imagine anyone taking that explanation seriously, certainly prosecutors and judges.
If you walk into a bank with a gun and ask the teller for money, then say "just kidding", .... Good luck.
I wish people could be a little more honest in the way they describe computer crimes. He knew or should have known that that api was not meant for public use. He is being punished for using it despite this knowledge.
In Texas, they don't convict homeowners who shoot trick or treaters trespassing on private property: http://wiki.answers.com/Q/In_Texas_can_you_shoot_someone_for....
Don't act so surprised and imposed upon that a culture that very much respects fences sees something wrong with intentionally poking your nose where it doesn't belong, online or offline.
http://arstechnica.com/apple/2011/01/goatse-security-trolls-...
If accessing published information (and incrementing a number in an url cannot be considered breaking in ...) is against the law, there is something terribly wrong with the law.
That said if he tried to use the data to extort money from AT&T that would of course be a criminal offense (even if the "intent" was robinhoodian).
To illustrate with an analogy: If someone takes a picture of a hapless drunk girl dancing topless in a bar (AT&T), that is not criminal. If this person approaches the girl and asks for money to delete the incriminating pictures, that is extortion. If the person sells the picture to an interested third party, this might constitute the case for a civil lawsuit (see the texxxan case...)
In any case no special laws are needed for judging behaviour in the virtual world.
This is exactly the same thing that was thrown at Aaron, even if you don't find the target as sympathetic.
"He that would make his own liberty secure, must guard even his enemy from oppression; for if he violates this duty, he establishes a precedent that will reach to himself." -Thomas Paine
"Auernheimer then helped Spitler refine his script to harvest a large number of valid e-mail addresses of iPad 3G users, suggesting that a huge data set would be needed to "direct market iPad accessories" or start a "future massive phishing operation," noting that the data breach would be "huge media news."
Deleted Comment
Do you guys always know the full story behind the news and comment accordingly? If you do based on the articles you read around, I want to remind you that in Aaron's case what you could read about the case was less than half the truth and there are still things we're not sure.
Unless you know something everyone else doesn't then what is published about the Schwarz case is on the record and in the books. So you're saying that the prosecutors were correct in the charges they brought?
Dead Comment
It's really not that hard to compile a list of email addresses from a public API in a way that doesn't violate the law.
That should be "intent", fyi. Legal code is not nearly as whitespace-sensitive as is Python.
I did this because I despised Guido van Rossum, whom I think is unjustly beardy[1], and wanted to embarass him.
I was convicted of two consecutive five-year felonies, and am now awaiting sentencing.
[1] https://dl.dropbox.com/u/14204175/screencaps/AwesomeRossum.j...
All this guy did was exploit publicly available information. It seems the US is now sending people to jail for pointing out other peoples stupidity. Sure he probably went too far with the whole, "I want to embarrass AT&T thing" but trolling is not hacking and it's not like Andrew had to bypass any form of security to get the info in the first place.
Anyone would swear this guy found a way to steal credit card details...
What he did is no different to someone writing a script that scours the web looking for email addresses (a tactic spammers have used and gotten away with for years), except no trickery was required to get the addresses AT&T were handing them over unknowingly without recourse. This can't even be considered a hack, more of an exploit if anything.
The stupidity of wanting to embarrass was no doubt a really stupid move to make, but definitely not some security defying hack. People shouldn't be jailed for acting like idiots, AT&T should be the ones being scalded for allowing this to happen in the first place. A company has a responsibility to keep customer data safe, AT&T should be no exception to that rule.
Edit to add: The law is structured this way for a very specific reason--to account for human error. What if I always lock my front door, but this morning I was in a hurry and forgot? Should I give up all rights of private property because of this error? Obviously not, which is why someone walking into my house through my unlocked door would still be a crime (trespassing, at least). If they took anything, it would still be stealing--even though one could argue that if I "really" didn't want anyone to take my stuff, I would have locked my door.
We all know how hard it is to properly write totally secure web services. We read about the failures every day. The question, then, is similar. Should the rights of people and companies be completely dependent on their ability to write invulnerable code? I would submit that that is not a sustain way for the law to operate.
Note that I'm not addressing weev's case specifically, as I'm not familiar enough with the details. Just addressing the general case.
"On 20 November 2012, Auernheimer was found guilty of one count of identity fraud and one count of conspiracy to access a computer without authorization. Auernheimer tweeted that he would appeal the ruling."
Is the problem that the laws themselves are terrible, or that the laws are being misused by overzealous prosecutors? I mean, if changing a public URL is considered "conspiracy to access a computer without authorization"... Or is this just not the full story, and he really was trying to do some "bad" stuff?
But if not: what can be done to change the law? Is appearing "soft on hacking" such a bad idea that politicians just won't support something better? Or is it really difficult to craft laws that actually do criminalize "bad" activity, without also technically criminalizing innocent activity?
What can be done?
There is a line of thinking in the tech community that accessing data you're not supposed to access is only "bad" if you do something "bad" with it. But in meat space, we enforce fences in their own right, whether or not there is any other criminal activity involved. Arguably, doing so makes the larger problem of ensuring that their isn't associated criminal activity more tractable.
Actually, real world example: over the weekend someone stole my phone out of my (unlocked) car while it was parked in my apartment building's garage. Now, let's say he hadn't stolen the phone. Just rifled through the glove box and center console. No harm no foul, right? Of course not. We presume there is no good reason to be looking through someone else's car, even if you fully intend not to take anything.
Now, that doesn't mean we should treat digital boundaries the same as physical ones, but I don't think it's as obvious as some people in the tech community make it out to be that there shouldn't be penalties (of some sort--the magnitude of such penalties is a whole another debate) for intentionally violating digital boundaries, regardless of how well they are protected.
That's an easy one! Just get congress to pass a law granting you retroactive immunity for breaking the law. http://www.guardian.co.uk/commentisfree/2012/oct/10/supreme-...
That was his admitted rationale - that he was seeking to embarrass people he despised because they were "unjustly wealthy?"
Obviously pure speculation (mixed with cynicism) recalling this story of the email harvesting I have no problems imagining a conversation like this occurred:
PR Flack: "Sir, we had a little PR snafu today and millions of email addresses of paying customers were exposed."
CEO: "So what?"
PR Flack: "Well it looks bad sir."
CEO: "Fine, shitcan some 50K a year nerd in one of data centers and then issue a press release indicating how seriously we take customer privacy".
No weev, you found a bug in their web app, then _YOU_ willfully published other peoples personally identifying information for your own fame and glory. Unfortunately, someone who's name and details you leaked didn't like that, and called in a favor. The DoJ came after you hard.
Your little tech crunch article chooses to omit crucial facts, and you are riding on the back of AAron Swartz again. You are nothing like AAron.
Right now the URL I'm looking at has "id=5095821" in it. If I change that to "id=5095822", I'm looking at something else published by Hacker News. But by DoJ standards, I'm "hacking" and have broken the law if HN didn't deliberately publish it.
weev is an ass. But he didn't hack anything.
These cases are trying to set a standard of "security by intent". There is no such thing. It's like my internet banking saying "To access your bank account, please type in your account number. Be careful to get it right or you'll be looking at someone else's account"
It's not the world's greatest hack, but it certainly was using the system in a manner that I'm certain AT&T did not intend. The IRC logs indicated that they knew what they were doing was likely criminal, and if AT&T discovered them, would "sue" them.
Whereas I'm guessing PG would be fine with you incrementing the number on the HN URL. And I'm pretty certain that's not criminal behavior.
It's important to note, that just because weev was hacking the AT&T site, didn't mean it was a criminal hack. In my mind it barely crosses the line - and he gets punished somewhat, but I'm thinking a week in jail and 30 days community service - not the silly levels that the feds are going to in this case.
lets say you exploit that bug in the internet banking application and you access my account.
Then you start logging into other peoples accounts and copying their address, balance, transaction lists.
Then you publish all this information you have stolen and say "Oh dont use internet bank -- they don't protect your private information"
the bank should have done better to protect that information, granted, but you have also performed an unethical and criminal act by publishing this information.
both the bank and the person that leaked that information should be punished.
Real people were hurt here by having their PII exposed. Don't forget that.
That's because you didn't want to be friendly. You wanted to be hard. You wanted DoJ. Now you will be forced to want class action suit from your customers and bankrupcy.
I would hope that if you discovered a vulnerability in one of my web applications you would contact me first and allow it to be resolved. Might even be lucrative for you.
If you used that vulnerability to steal my database and publish it to the public domain -- when it has no place in the public domain, i would expect the DoJ to hunt you down.
I never said anything about not being friendly. But if you are playing with peoples identities, their lives, this is not friendly at all.
Also the quoted article does not appear to show considerable insight on internet security.
Sheer directory traversal should never be considered a criminal act.
Of course if they had followed through with the stock manipulation, this would warrant criminal punishment.
Although of course stock manipulation is only punishable if you're not a bank or hedgefund which is sad.