44

Infamous hacker/troll Weev jailed ‘for doing arithmetic’

Jesse Brown on the grey world of digital information sharing


 

Andrew Auernheimer leaves the courthouse after posting bail on Monday, Feb. 28, 2011 in Newark, N.J. (Julio Cortez/AP)

If comedian Lenny Bruce were alive today, he’d be a hacker.

Think about it; there’s not much left to say on a stand-up stage that truly threatens authority or social orthodoxy. It’s hard to imagine Louis CK or Chris Rock going to jail, or even to court, over their filthy routines. But governments, courts and corporations are proving remarkably touchy about what we do and say with our computers. While Lenny Bruce was sentenced to jail for using common language to say things that were obviously true, today you can similarly lose your freedom for using common computer techniques to expose obvious realities.

Case in point is the trial of Weev. Andrew Auernheimer, the infamous hacker/troll/prankster, has been sentenced to 3.5 years in prison for violating the U.S. Computer Fraud and Abuse Act, the same law used to prosecute Aaron Swartz.

Here’s what Weev did:

When the iPad came out, thousands of new owners subscribed to mobile data service for it through AT&T. Weev discovered that a public web page posted by AT&T revealed the email addresses of these iPad owners. There was no hacking involved in obtaining the emails–just change the seemingly random number included in the web address, and the page would spit out a stranger’s email address. Weev and a friend wrote a script to automate this, adding a digit to the number and getting a new address, one at a time. They quickly collected 114,000 emails this way, including the addresses of prominent early iPad owners like Rahm Emmanuel and Harvey Weinstein.

Had Weev been a “white hat” hacker, he might have privately informed AT&T of the security gap and given them the chance to close it without embarrassment. Had he been a “black hat” hacker, he might have found a way to sell the data or otherwise exploit it. But Weev considers himself a “gray hat” hacker. He didn’t want to profit from the discovery or harm the people whose information was compromised: He just wanted to embarrass AT&T for their poor data hygiene. So he sent a sample of the emails to Gawker as proof of the bug, in the hopes that they would run a story on the corporation’s blunder.

For that, he’s going to jail. He and his co-defendant will also have to pay AT&T $73,000 in restitution. (One wonders what AT&T might have paid Weev to have learned of the bug before he went public. Google, for example, pays hackers up to $150,000 each for cracking their software and telling them how.)

Before his sentencing, Weev said to a crowd assembled outside the court, “I’m going to jail for doing arithmetic.”  As they made the case for his incarceration, Weev’s prosecutors admitted that they did not understand computers.

Bruce’s tormenters similarly bragged about not having seen the comedy routine they were persecuting him for.

Weev plans to appeal his conviction, and the Electronic Frontier Foundation has taken on his case.

Follow Jesse on Twitter @JesseBrown


 

Infamous hacker/troll Weev jailed ‘for doing arithmetic’

  1. ‘Weev’s prosecutors admitted that they did not understand computers.’

    Centuries later, and I see the ignorant are still burning people at the stake.

  2. This is why the USA is going down the history lane.

    Rise now Asia.

  3. what an idiotic judge

  4. I never thought arithmetic was criminal, but algebra and calculus — lock up people who do those things.

    • Arithmetic is a gateway drug. Stay far, far, away, young fella.

  5. The judicial system in North America is populated with idiots, narcissists and crooks, who are failing us on a massive scale. Judicial reform is so badly needed, but nobody seems to be talking about it.

  6. There was no hacking involved..they just changed the expected outputs of their program (browser) to ones that the AT&T server interpreted in such a way as to give them access to information they normally wouldn’t get.

    What, exactly, qualifies as hacking to you Jesse? I mean, is it hacking when someone pulls the data-stream of a multiplayer game into a separate data-stream analyzer so that they can change what the program is sending, and as such, make an aim-bot? Oh wait.. that’s exactly the same thing that these guys did.. just with more tech on the user end.

    I mean, I admit, this is one of the most basic and easy hacks to do, and it’s almost criminally negligent of AT&T to have not put in a simple security block to stop this, but what on earth makes this “not hacking”?

    • You are completely wrong.These pages were fully accessible to anyone using standard browser functions. The URL was just slightly changed, nothing more.
      For example, this page url is http:-//www2-macleans.ca/2013/03/19/infamous-hackertroll-weev-jailed-for-doing-arithmetic/.
      If I just remove the end and retry with:
      http://www2.macleans.ca/2013/03/19
      I get somewhere else, no hacking required. Fully legal. The judge was an idiot.

      • Just because something is trivial to hack doesn’t mean hacking hasn’t taken place.

        There’s a whole raft of poorly programmed browser games out there, for instance, where playing with the codes in the web-address can result in a person having things they’re not supposed to. So when someone changes the code to give themselves duplicate items they wouldn’t normally have.. have they hacked the game system? If not, then what would you call it?

        Just like it’s still breaking and entering if someone leaves their front door open when they go to work and you enter without permission, it’s still hacking if someone doesn’t secure their website and you go through it without permission.

        • But what damage did he do, beyond embarrassing a corporation? From Jesse’s account, at least, the data was not used for profit or to contact the email owners, so…
          If what he did constitutes hacking then I guess I’m a hacker too, as I too have changed URL codes to get to a different part of a site.
          Even if it is hacking, the punishment is excessive, given the uses to which the data collected was put.

          • Oh, I’ve got no argument that the punishment was excessive. It absolutely was.

            But mis-characterizing what this guy was doing as “not hacking” to suggest that he shouldn’t get any sort of punishment at all, as Jesse often likes to do for pirates and hackers, I do take issue with.

            As for what damage he did, having dug out the original gawker story here: http://gawker.com/5559346/ what damage he did was share the script with other people, the identities and number of which is unknown.. thus giving all of those people access to the emails and iPad information of anybody signed up through AT&T before they closed the hole.

    • The information was on publicly available website. You probably could have found the same data by punching the right keywords into a Google search.

      • So what? As I pointed out above, just because someone leaves their door open doesn’t mean it’s any less breaking and entering if you walk into their house and snoop around.

        • Usually I just laugh at the downvotes, but these ones concern me, I’m guessing the people who do it think it’s just fine to walk uninvited into someone’s home if they leave the door open, and that’s just disturbing.

      • Would be interesting to see those server’s logs, and how many times Googlebot actually hit those pages, if at all.

    • A web request is not a hack, just the same as dialing a phone number is not a hack.

      • A web request CAN be a hack. Just the same as walking into someone’s house through their open door CAN be breaking and entering.

        Here’s a quick list which can determine if something’s a hack or not:

        Was the person intended to get access to the information or service they did?
        Did they know they were not supposed to get access?
        Did they deliberately attempt to gain such access anyway?

        If all three of those conditions are true, you’ve met the broadest definitions for a hack.

        • A bank has foolishly left it’s customer account ledger on a reading pedestal outside the front door. Somebody come along and turns to the next page. You think this should be called hacking? Absolutely no attempt to impersonate anyone or any attempt at false authentication.

          • Except they didn’t leave it outside the front door. It was behind a door marked private, that happened not to be locked.

          • No, it was not behind a door marked private.

            When you type something into your browser address bar, and then you hit enter, that’s not a hack.

          • The internet is a public network. If some data is intended to be kept private, you don’t make it accessible via the internet. For god’s sake, it wasn’t even password protected or encrypted. It’s analogous to buying a building, putting a big “Grand Opening” sign on the front, leaving the door open…. and then complaining when a stranger enters your “store”.

          • No. Not on the front. If it was on the front, they could have linked to it without doing anything in the browser bar. More like coming in through a window that wasn’t locked.

          • Anything that can be typed into a browser bar can be linked to via HTML. The fact that AT&T’s crappy server was accessible via a simple GET request is a clear indicator that they didn’t even contemplate user privacy. Making it respond only to POST requests would have at the very least forced these “hackers” to spend a few minutes crafting a request that couldn’t *as* easily be done with a web browser.

            I mean, this is seriously troubling development. By the logic of the court, I could put up a website at, say, idrinkinthemorning.com tell nobody about it, and then lay charges against anybody who happens to come along and find it. It’s insane. To steal an analogy, it’s like walking down the street writing down street #s and then being charged with identity fraud. It’s beyond absurd for companies like AT&T to think they can harness the awesomeness of a completely public and free network while being able to keep their little corner of it private.

          • I will point you, as well, to my three criteria.

            One of the key points you’re missing is intent. Did they know the service wasn’t supposed to be accessed how they did it? Their actions thereafter demonstrate, that yes, yes they did. They knew damn well they weren’t supposed to be getting in there. It wasn’t just some innocent mistake they made. They went in looking for ways to compromise people’s privacy. They found one. They shared that information with others — and not with the entity that could have stopped it.

        • Your analogy is wrong. If you walk up to someone’s house, knock on the door, and they let you in, then it’s not breaking and entering.

          In the same way, a web request is not a hack.

          This is how the web works: you send a request to a server, then the server decides upon the response. The server can send you 401 unauthorized, 403 forbidden, 404 not found, or a whole host of other responses, or even nothing. It can also send you 200 ok along with data.

          That is not a hack.

          For it to be a hack, you would have to go in and get the data, or try some kind of trick. If the server happily sends you the data, it’s not a hack.

          • Again, I refer you to my three criteria definition, since you seem to be having a problem understanding basic morality.

            I know, you’re trying to be all smart and go, “Well…. technically…. they didn’t get anything they weren’t given”. That’s like a two year-old saying, “Well… technically… I didn’t break the lamp… the baseball bat did..”

            They’re tools. They were used inappropriately.

          • Again, I refer to your difficulty with the word “hack”, and I also refer to your absurd attempts to deflect the topic to save yourself embarrassment.

  7. By lawyers. For lawyers. With lawyers. ….you get what you pay for

  8. No damage was done here and AT&T gets restitution for what? For fixing the flaw this guy exposed? I think the man has a case based on the 1st amendment.

  9. An easy hack is a hack nonetheless. It’s not less legal to steal a car because the door is unlocked.

    And it’s not simply that he did the hack, it’s that he published people’s private information.

    • I can’t tell from the article itself (maybe it’s in a link) EXACTLY what they’re saying he did wrong, but I’ d bet it was something like collecting people’s personal information off the web using an automated system, which it kinda looks like he did.

      • “identity fraud and one count of conspiracy to access a computer without authorization”. Which boggles the mind. “Conspiracy to access a computer without authorization” could probably apply to any person who’s ever used a web browser.

  10. He should pay a fine. What he did was wrong. I don’t know about jail, though.

    • I dunno if a fine is the way to go. I’m more in the court of probation with restrictions on his technology use for a few months to a year or so, and successful completion of an ethics course.

      I do agree though that the sentence given makes very little sense. Restitution to AT&T and prison? That doesn’t fit the crime at all.

  11. This is plain wrong.

    If I walk into a store, and ask for something for free, and the vendor then gives it to me, then I’ve done nothing wrong.

    The same applies online. If he sends the web request, and gets the email as a response, he’s done nothing wrong, ATT has handed over the information voluntarily.

    • OMG stop the presses some guy has an analogy!

    • Exactly. It’s quite possible that a bot would have stumbled across this security hole by accident at some point. You don’t need to be a human to perform a request on the internet, or to sniff traffic over a network.

  12. Before one commits a crime or wanders into a “grey” zone in the United States, it is important to become a banker first. Bankers never get charged or prosecuted! -).

  13. Incidentally, one of the things Jesse fails to mention about this story is that before AT&T closed the hole, he also shared the script with various people.. who then all could get access to the information on the site.

    Those of you saying he did nothing wrong should remember that what he did exposed real people to the possibilities of identity theft and other hacking of their iPads.

    • How else would a security researcher prove their findings without sharing the vulnerability with others? It’s essentially peer review.

      • The only person you need to prove the findings to is the entity with the security hole.

        And you know that, but you just want to be a shit, don’t you?

  14. Why aren’t charges being laid against AT&T? Strikes me that they were the ones who published personal information on the internet that was accessible to anybody with a web browser, which should be criminal negligence at the least.

    • This I also agree with. AT&T definitely deserves some kind of charge here, perhaps double that 73,000 they’re being given, and be made to give that to the people whose security they compromised.

Sign in to comment.