back to article Weev gets 41 months in prison for exposing iPad strokers' privates

Andrew Auernheimer, a member of the grey-hat hacking collective Goatse Security, has been sent down for three years and five months in the slammer after he helped leak users' private email addresses via a flaw in AT&T's servers. Auernheimer, known online as Weev, received his sentence wearing shackles after he tried to bring a …

COMMENTS

This topic is closed for new posts.

Page:

  1. Anonymous Coward
    Anonymous Coward

    If you tried the same trick on someone's front door you wouldn't be able to use the excuse that you were doing security research.

    The servers aren't his property, therefore he is not allowed to play around with them, simple as that.

    If you want to hack hardware and software then make sure it is your own!

    1. Anonymous Coward
      Anonymous Coward

      God you're stupid. Comparing it to a front door is a childish attempt at misdirection.

      If nobody performed these kinds of investigations then the only people doing it would be criminals, and guess what, people stealing your details for profit aren't going to tell anybody about the flaw (except maybe other criminals for a tidy profit). Also telling the company responsible for the flaw rarely gets you anywhere (particularly if it's a big company) apart from occasionally a gagging order or prison.

      No this person did one thing wrong, and that was embarrass big business.

      1. cirby

        Except...

        A real "good guy" hacker would find the exploit and demonstrate it - without grabbing all of that data and handing it over to someone else.

        Likewise, someone who knew how to pick a lock wouldn't break into the house and rummage through the belongings of the people inside - he'd go to the manufacturer and show them how he did it, or wait and demonstrate the flaw at a conference.

        That "companies won't respond" line is pretty much false - it's an excuse given by hackers when they get caught doing something stupid. Usually, it's a lazy but egotistical hacker-wannabe who wants to make the headlines, but doesn't want to bother with actually calling the persons who are responsible for said security flaws. "I contacted the company" usually boils down to "I called their PR department, and they told me it was the wrong number."

      2. Tom 35

        If he did try it on some ones front door, and even helped him self to a TV, and some how the cops bothered to look for him I don't think he would be spending any time in jail.

        His other fault was not kissing the Judges arse.

      3. Anonymous Coward
        Anonymous Coward

        Not stupid - the law is the law.

        @ anon 18/3 @18:56

        If nobody performed these kinds of investigations then the only people doing it would be criminals, and guess what, people stealing your details for profit aren't going to tell anybody about the flaw (except maybe other criminals for a tidy profit). Also telling the company responsible for the flaw rarely gets you anywhere (particularly if it's a big company) apart from occasionally a gagging order or prison.

        Nope. "These kind of investigations" can be performed without immediate disclosure of personal information. Even if he downloaded data, he could have kept that confidential and use responsible disclosure to make AT&T aware of the issue, with a time clause to get their rear ends in gear but again without disclosure of personal details.

        I was once asked to verify if information protection was in place in a location which I am not allowed to name. When I found a route in, I had my big boss tell me I should copy a document from that service as proof. I told him that I was happy to show an authorised member of staff what to do and grab the data, but there was NO WAY I would touch a document myself. If, by any chance, information leaked about the data that I had copied, guess who would be suspected first? Not a chance.

        In my experience, teaching beginners about security properly rarely involves teaching them technical things - that inclination tends to come with the package. Making them think about consequences is FAR more important.

        Was the sentence appropriate? No, but if you piss people off by not giving them a chance, you risk that they throw the book at you. This is the point where you realise that people matter..

      4. WatAWorld

        God you're stupid to make the remark "God you're stupid".

        As it is, the only people doing it are criminals. Did you not read the article? Do you not understand the law?

        You could make the same lame "if we didn't do it only criminals would be doing argument' with front doors of homes too, it would be equally invalid.

        1. Chris007
          Mushroom

          And you're a fuckwit for saying "God you're stupid to make the remark "God you're stupid"." and the rest of the pish you wrote.

          "As it is, the only people doing it are criminals" - what bloody planet are you living on, you moron.

          My initial thought was I hope you don't end up in a situation where you end up jail for something that caused NO damage, NO financial loss (other than paying coders to fix the sloppily installed server) and he sought NO financial gain but then I thought "you know what it might be the wake up call WatAWorld needs"

          1. Anonymous Coward
            Anonymous Coward

            I hope you don't end up in a situation where you end up jail for something that caused NO damage, NO financial loss (other than paying coders to fix the sloppily installed server) and he sought NO financial gain

            Chris, that isn't the problem. Those facts may act as mitigation to lower a sentence, but the bottom line is that a law was broken, and someone got punished for it. The guy got convicted exactly because there are other ways to do this, and he didn't even try any of those alternatives.

            Was the sentence excessive? In my opinion, yes, but those are the dice you roll when you break the law. He didn't exactly help himself by not showing remorse either (which no doubt contributed to the sentence).

      5. Nuke
        Thumb Down

        @ AC (18:56) - Re :

        Wrote :- "If nobody performed these kinds of investigations then the only people doing it would be criminals"

        Weev is a criminal. For future reference, a "criminal" is someone who commits a crime

        1. tekHedd
          Pint

          Re: @ AC (18:56) - Re :

          " For future reference, a "criminal" is someone who commits a crime"

          True, but not relevant. People are clearly using the term "criminal" here to mean "someone who deserves to be convicted" instead of "someone who *was* convicted." While not strictly correct, the rest of the pedants (and I include myself in this group) seem to be coping just fine. I find that beer helps.

          1. clean_state
            FAIL

            Re: @ AC (18:56) - Re :

            not quite: a "criminal" is someone who gets afoul of penal law, i.e. commits a deed that the state deems harmful enough to society to commit public funds to prosecute it and punish it with a jail sentence.

            In this case, please demonstrate the harm to society. There does not seem to be any, actually, there is a benefit in the flaw being promptly fixed by AT&T.

            The fact that there is a penal law that allowed this conviction just means that the law-making system is corrupt enough for such a law to exist. This law is an aberration so upholding it to quai-religious standards with statements such as "the law is the law" is pretty short-sighted.

            But well, with the Supreme Court declaring that bribing a politician (election money) is "free speech" and protected by the first amendment, you guys are in big trouble.

    2. koolholio
      Joke

      Aslong as you dont distribute the code and its not a Sony Playstation!

    3. LarsG
      Meh

      The justice system

      Needs to be updated from 1.0 to 101.9.

    4. Wzrd1 Silver badge

      "If you tried the same trick on someone's front door you wouldn't be able to use the excuse that you were doing security research."

      That was the point I was going to make. If my front door has a cheap lock, that doesn't mean a random stranger may pick the long and toss my home.

      If you want to hack hardware and software, but don't want to hack your own, get a contract with the owner. You'll turn a nice profit and hack to your heart's content.

  2. Anonymous Coward
    Anonymous Coward

    Importance

    ... or lack thereof: Auernheimer will find out how little of it he has, very soon now. The only importance he has is self-importance.

  3. ratfox
    Devil

    Showing no contrition

    If there is one thing that the justice system hates, it is criminals who don't make at least a show of regretting what they have done. It is a bit like declaring at the customs that your job is smuggling. I bet the sentence would have been way more reasonable if he had "treated them with respect".

    1. Knochen Brittle

      Contrition is a religious concept,

      and one easily mimed, for which there should be no consideration in a rational and fair legal proceeding.

      What you are really referring to is the practice of pandering to the sentencing Judge's pampered sense of sadism by engaging in a (generally lawyer-advised) ritual bout of 'voluntary' self-abasement taking the form of grovelling apologies and abject pleas of misericordia. Those who are innocent or proud refuse to engage in this extra-judicial public auto-flagellation and so are otherwise punished with a more severe sentence within the (corrupt) Judge's 'discretion'. Those who do, get the sentence already decided upon - i.e. gain no benefit from the humiliation.

      Another weighty factor here are the desired political effects, of which I can see two:

      1. The lower classes must (re)learn that their place is toiling in silence, not embarrassing OverLords with disclosures about their vulnerabilities or crimes - lulz, satire or free speech against the ruling mafia will be severely punished.

      2. Hackers must learn to tremble in pre-emptive fear of the Pentagovernment, and quietly render any discovered 0-Days to the CyberOffence Command for Droit-de-Seigneur-style exploitation against the fabricated enemies-du-jour, both foreign and domestic.

      Of course, for the morose US legal body, in which the highest value is the perpetual impunity of State warcriminals and torturers, this kind of savage result is achieved during coffee breaks, hardly even counting as in the day's work.

      So, au contraire - it's a filthy, rotten Injustice System, which earns no respect but rather an immeasurable contempt.

      Free All Political Prisoners, Free Weev!

      1. ratfox

        Re: Contrition is a religious concept,

        I think you don't get it. The point of the justice system is to get people to act legally. There were plenty of ways to report the flaw without sending private user data to the press. It was even possible to publicly embarrass the company by revealing the flaw without actually leaking private user data. So Weev broke the law without any proper justification, not even that of being a whistleblower. Satire is protected free speech, but lulz is not.

        In that case, the job of the justice system is to first, point out that this is illegal, and second, to deter people from doing it. When the accused is proudly admitting breaking the law and claiming it is the right thing to do, the justice system has to make it especially clear that no, it is not. And the more the accused insists on advertising his claims, the harsher the justice system has to be.

        It is not about forced humiliation. Here, just shutting up would have been preferable.

        1. Knochen Brittle

          "The point of the justice system is to get people to act legally"

          That's the kind of touchingly infantile political naiveté so essential to the class of people who design and use that system to subdue the masses into acquiescence, allowing their injustice to continue unhindered. Well done!

          Your practically religious resistance to reality would be admirable, if it did not have such severe consequences.

          Check this and see if you still agree with yourself:

          http://www.freegarytyler.com/writings/isr.html

          1. Anonymous Coward
            Anonymous Coward

            Re: "The point of the justice system is to get people to act legally"

            "That's the kind of touchingly infantile political naiveté so essential to the class of people who design and use that system to subdue the masses into acquiescence, allowing their injustice to continue unhindered."

            Yes, like a telephone company who store people's email.

            FIGHT THE POWER!

            DOWN WITH TELEPHONE COMPANIES WHO SUPPLY EMAIL TO IPADS AND ALL THEIR DESPOTIC SYSTEMS OF INJUSTICE THAT SUBDUE THE MASSES INTO ACQUIESENCE!

            etc etc, till you turn 14 years old

          2. Anonymous Coward
            Anonymous Coward

            Re: "The point of the justice system is to get people to act legally"

            Hahaha. HahahaHAAAAhahaha hihi hahahahahah HAHAHAHA. Sorry, haha, let me catch my breath, hahahaha. Hah. Hihihi. So someone gets a few years in the slammer because he behaved like an idiot, and you compare this to a death row situation? Seriously?

            The evidence was very clear and simple, no doubts there. Secondly, he had plenty of opportunity to follow legal routes to make this problem known, he chose not to. Thirdly, he didn't even have the brains to even *pretend* to have remorse at his trial, so they threw the book at him. Don't you think your reference may just be a teeny weeny bit irrelevant and OTT? No?

            As for the rest of your rant, the law is there to enable a livable society. Your contract to derive rights from participation in that society is contingent on making an effort to follow the law and the obligations a society imposes on you. If you break the law, you harm the rights of others which can lead to punishment. Granted, that system could be improved but the principles are there. If you don't like those obligations and laws (aka rules), in most societies you also have the right to leave.

            A couple of years in less enlightened sections of the planet may prove educational anyway.

        2. JEDIDIAH
          Linux

          Re: Contrition is a religious concept,

          No. You're just kidding yourself. You're assuming that the corporation will act in good faith when that is the least likely thing to happen. Even multiple public shamings and large jury awards don't always encourage corporations to do the right thing. Assuming that they would mend their ways because of a polite little note is absurd bordering on being a diagnosable psychological disorder.

          Despite his other conduct, exposing this to the world was a valuable public service. We would never have known otherwise and AT&T would never have any motivation to clean up their act.

          1. Anonymous Coward
            Anonymous Coward

            Re: Contrition is a religious concept,

            Believe it or not, companies don't actually want to expose their customers personal information to the internet. There's laws against them knowingly doing it etc. Data protection law etc. Naming and shaming publicly really isn't in anyone's interest. I know, as I've worked on these things, with these companies. They're not overly keen on going to jail, like most people.

            But you crack on, publishing individuals personal details on the net is the only way to achieve change.

  4. NukEvil

    derp derp

    If you don't like it, stay the hell out of our country. We are happy to let our corporate overlords rule us to death with impunity, and we would greatly appreciate it if that annoying constitution didn't make such a racket when being flushed down the toilet so often.

    Already, we're having people that believe that our government is still held accountable by its people.

    Join me, fellow citizens of the State, in bowing down to worship our overlords--both corporate and the oligarchy that is our government--in this momentous great day. A day in which a criminal has met his karmic punishment at the hands of the very tools he used to commit great crimes. The first letter in each line in this comment should accurately describe our judicial system.

    1. MondoMan
      WTF?

      Re: Idrajokl????

      Your formatting or my lack of understanding?

      1. Ole Juul

        Re: Idrajokl????

        It's a puzzle. HTML wraps unless you use /pre or line breaks (/br). In this case I get IwbAJtta at my usual 120% and IdrAJopc at 100%.

        1. NukEvil
          Trollface

          Re: Idrajokl????

          Hmm. Let's see, either I can blame myself for not taking the screen size/format settings of others into consideration, or I can blame others for not being able to see it properly. Hmmm...

          Perhaps a screenshot will do for those of you who use a browser that refuses to follow basic web standards:

          http://i.imgur.com/NHBiGMm.png

  5. Eddy Ito

    I don't get the $72,000 restitution to AT&T. Is this what it cost them to fix their own shoddy code? Certainly AT&T haven't suffered anything other than a little arse ache which they rightly deserve.

    Granted, he could have been a bit less smug about it but he might have seen the writing on the wall over the course of the trial by paying attention to the judges reactions. Judges like to appear unbiased but most every time I've done jury duty it's been pretty clear what the judge's opinion was by the second day.

    1. Steve Knox

      I don't get the $72,000 restitution to AT&T. Is this what it cost them to fix their own shoddy code?

      More likely it's what it cost them to notify their affected customers and deal with hacks related to the breach of information (possibly x3 as that's a popular punitive proportion.)

      1. C-N
        Trollface

        A Great Way to Finance Your Business

        1. Build shabby website.

        2. Wait for inevitable "hacking" attempt. (could simply be a frustrated sustomer, who cares)

        3. Get gov't to prosecute & sue for restitution

        4. Use restitution to hire engin^H^H^H^H more marketing!

  6. rictay
    Facepalm

    Freedom of the Internet? In your mind, chum

    "...The Internet is bigger than any law can contain...." This is a common misunderstanding of what the Internet is. Internet means "Internetwork" - it consists of dozens of corporate networks plugged together with a common comms protocol.

    I've worked on Internet development projects since the 90s and am constantly amazed by the naive drivel that passes for expertise today.

    If the network administrators of those cooperating networks decided to block any traffic that neither originated from nor was destined for their own users, ie their networks became private again, then your precious Internet would disappear overnight. You'd be back with the CompuServe model again, ie, the only services available would those provided by, or approved by your ISP.

    Same if "The Law" made those network administrators responsible for the porn, trash, hackers, spam, pirated music, films, and software that crosses their networks. Dozens of corporate networks would become private again overnight and bang goes the Internet. Don't think it hasn't been discussed. Don't think it can't be done.

    1. Mr Anonymous
      FAIL

      Re: Freedom of the Internet? In your mind, chum

      So have I, what a load of old guf you're spouting, closed networks = less money, therefore we will not see a return to AOL or CompuServe.

      However, Fecalbook would certainly like to see a hybrid model of their users and other companies paying for the network, while they extract all the cash.

  7. IT Hack

    Big People

    And yet again the US judiciary and public attorneys so that they are not interested in the safety of the plebs who use the net...but only the big boys.

    These stories do nothing but reinforce my reticence to ever go back to the US...

    1. Anonymous Coward
      Anonymous Coward

      Re: Big People

      Actually this shows that at least one person in the US Justice Department cares about the little guy.

      You can't have people going around tossing rocks through windows 50,000 at a time in order to demonstrate that glass windows are insecure and getting away with it.

      The, "If I didn't throw rocks through windows only crooks would through rocks through windows" argument just does not hold water.

      1. IT Hack
        Pint

        Re: Big People

        Firstly I feel I need to apologise for the above horror show of a post. Not in terms of spelling mistakes but rather missing entire letters out! Not good.

        I also failed to be clear what my actual objection was.

        The length of the jail sentence is far too extreme for the level of the "crime". Given that the data was available on a open web server. Rather than censuring AT&T for lax security the judge and prosecutors went after the security researcher. Not that he is entirely innocent...but at most he's guilty of foolishly not thinking through how to report his findings in a more...professional manner.

        The only reason the guy was sentenced to a ridiculously long amount of time, and fined to boot, was because he made AT&T look foolish, and had emails of people in positions of influence and power. If all those emails had been ordinary folk I bet you he'd have never been sentenced to such a long time in prison.

        Of course this is only my opinion and I could well be wrong and you would be right in presuming that I am typing this in a ranty rage. However it is quite clear that when it comes to computer "crimes" the US does tend to take things to an extreme...it either being driven by prosecutors wanting to make a name for themselves (and judges) or powerful people able to hire suits that the defendant just does not have the resources to compete against.

        Pint coz well ranty rages are a thirsty business, right? ;)

        1. Fred Flintstone Gold badge

          Re: Big People

          Firstly I feel I need to apologise for the above horror show of a post. Not in terms of spelling mistakes but rather missing entire letters out! Not good.

          Hey, happens to me too. Not a problem :)

          The only reason the guy was sentenced to a ridiculously long amount of time, and fined to boot, was because he made AT&T look foolish, and had emails of people in positions of influence and power. If all those emails had been ordinary folk I bet you he'd have never been sentenced to such a long time in prison.

          I think it probably had more to do with the fact that the judge couldn't really see any remorse for his activity. The idea of a punishment is to prevent a repeat or correct behaviour. If the accused has already spotted where they screwed up (or can act convincingly, let's be realistic), the sentence needs not to be that harsh to ensure lawful behaviour.

          If the accused doesn't show remorse, the sentence gets harsher because it still has to be made clear to the defendant that what they did was A Really Bad Idea, and because leniency could otherwise encourage other idiots to act in the same way. IMHO, the situation is aggravated by the fact that US works on precedent - if this guy had been able to walk off with a short holiday it would have set precedent for similar cases.

          I'm not entirely clear what the AT&T restitution was for, though.

          1. Anonymous Coward
            Anonymous Coward

            Re: Big People

            " If the accused has already spotted where they screwed up (or can act convincingly, let's be realistic), the sentence needs not to be that harsh to ensure lawful behaviour."

            So from your parentheses, you accept that the contrition bit is just theatre? Certainly appears to be standard in the local rag "before the magistrates", where week after week repeat offenders get lighter sentences by bleating on about how sorry they are, how they suffered exceptional misfortune themselves, and promise upon their mother's soul to go straight as soon as they are free.

            If the judges are sufficiently daft to go along with this nonsense, then perhaps the pols need to set tarrifs themselves, and abolish judges discretion in sentencing.

          2. IT Hack

            Re: Big People

            @ Mr Flintstone

            Whew! I'm not the only one! I've been leaving out entire words recently...must lay off the pints ;)

            It's not easy to show remorse for something that really wasn't bad as such. He should have tempered his language though. Either way though it is still an entirely over the top sentence. Ultimately the only thing he really did wrong was going about his research the wrong way...and ending up in a court with a judge who is not tech savvy to the extent that the intricacies of this kind of work is understood.

            I reckon the AT&T fine was just putting the boot in for the hell of it.

  8. Mike Moyle

    Redaction...?

    Based on this one article, it sounds like he didn't redact any of the customers' information before sending the data to Gawker to publish. That's making a lot of third parties pay in aggravation (and the possibility of identity theft, etc.) for their ISP's failure. Frankly, AT&T's embarrassment is of zero importance to me -- punishing users for their choice of connectivity vendor strikes me as being more than a bit of a dick.

    He could have -- relatively easily, I'm sure -- redacted the information in such a way that Gawker or some other news outlet could have presented it to ATT, asking for confirmation that it was theirs and asking if they were aware of the flaw in their security, without leaving the users hanging in the wind.

    Also, there is no mention of how LONG he waited for ATT to fix the flaw before going past them for the publicity Three days...? A week...? Three months...? This has bearing, I think, on whether his actual goal was giving ATT a genuinely reasonable amount of time to verify the problem, fix the code, test the fix, and roll it out, or whether it was just to cover his ass with the "Well, I TOLD them and they did NOTHING so I HA-A-A-A-AD to go over their heads" defense.

    1. Anonymous Coward
      Anonymous Coward

      Re: Redaction...?

      I used to use the name gawker on irc a long time ago, hope they don't get confused and arrest me!

  9. Andus McCoatover
    Windows

    Idiot!

    Why didn't he create a couple of his OWN accounts, then try to cack them, and only those, then tell the BOFH how he did it.

    If it was his OWN accounts that he cracked, not much cause for a hefty fine...or porrige.That's how I'd do it.

    Oh, wait. Cattle prod/weekend in the tape safe?

  10. Anonymous Coward
    Anonymous Coward

    He's Right

    "Internet will topple governments,"

    He's right.

    1. Anonymous Coward
      FAIL

      Re: He's Right

      You really think obese people in front of computers will achieve anything ?

      Unemployed professionals in large numbers without electronic sedatives - they can achieve something. The intarwebs will achieve nothing while crumbled finance can achieve all sorts of highly nasty stuff.

      1. Fred Flintstone Gold badge
        Thumb Up

        Re: He's Right

        You really think obese people in front of computers will achieve anything ?

        *Love* the sarcasm :)

    2. Anonymous Coward
      Anonymous Coward

      Re: He's Right

      But other than that, he's just stupid thief.

  11. Steve Mann

    Bah!

    He should have used the time-honoured "Asperger's" defense.

    1. Anonymous Coward
      Flame

      Re: Bah!

      No he shouldn't. He did us all a service by exposing what is really going on. These days, you are not punished for actual crimes, but for the Crime Of Embarassing Important People.

      Whenever you have an interview, tell people you won't travel to the US on business duty, as you don't trust their justice system. Stop buying American goods. Buy ARM-based computers. Stop drinking Coke. Maybe that will send a message.

  12. Anonymous Coward
    Anonymous Coward

    Its a fair sentence.

    It is a fair sentence. This isn't the wild west.

    If you steal from an unlocked home it is still burglary. It you steal a car that has the keys in the ignition it is still car theft.

    If you have to fiddle to get the data, then you're into the analogy of glass windows that break and cars that can be hotwired.

    1. Yet Another Anonymous coward Silver badge

      Re: Its a fair sentence.

      No he didn't break anything, he didn't damage anything, he didn't deprive the owners of anything and didn't cost any of the owners of the data anything in lost sales.

      What he did was the equivalent of the USPS selling an envelope that was transparent if you held it upto the light - he held some envelopes of senior US govt figures upto the light, pointing out that the Russians/Chinese/n Koreans/Iranians/Milk marketing board - could do the same, and was slapped for it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Its a fair sentence.

        First, he deprived people of their privacy.

        Second, the embarassment probably cost ATl&T money sales.

        What he did was akin to going into a post office, steaming open the mail, photo copying it, and publishing it in the New York Times.

Page:

This topic is closed for new posts.

Other stories you might like