Forgot your password?
typodupeerror
Government The Courts AT&T Security IT Your Rights Online

Jail Looms For Man Who Revealed AT&T Leaked iPad User E-Mails 124

Posted by Soulskill
from the doing-it-wrong dept.
concealment sends this quote from MIT's Technology Review: "AT&T screwed up in 2010, serving up the e-mail addresses of over 110,000 of its iPad 3G customers online for anyone to find. But Andrew Auernheimer, an online activist who pointed out AT&T's blunder to Gawker Media, which went on to publicize the breach of private information, is the one in federal court this week. Groups like the Electronic Frontier Foundation worry that should that charge succeed it will become easy to criminalize many online activities, including work by well-intentioned activists looking for leaks of private information or other online security holes. [Auernheimer's] case hasn't received much attention so far, but should he be found guilty this week it will likely become well known, fast."
This discussion has been archived. No new comments can be posted.

Jail Looms For Man Who Revealed AT&T Leaked iPad User E-Mails

Comments Filter:
  • by Anonymous Coward on Tuesday November 20, 2012 @04:47PM (#42046335)

    Anon pastebin is the way.

    • by Anonymous Coward

      Then it would have made no difference. You can't test free speech and outdated computer crime laws in court under the guise of anonymity.

  • Oh right, the feds, they're never in their right mind. I shouldn't have asked, dumb question, sorry.
    • by garcia (6573)

      That would only stand if staff didn't take direction from the political arm which happens to be manipulated by money from special interests.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Actually, no. There is no such thing as "the feds" in the USA.
      There are service organizations for companies to use, which protect industry interests, but are paid by you.
      An actual government would defend you against the companies, and put everyone in jail even tries to "lobby".

      But hey, in the US, many people loudly yell and proclaim they want a "small government" and "free market", because they confuse that industry instrument with an actual government, and confuse freedom for companies to abuse them with f

      • Re: (Score:3, Insightful)

        by deathlyslow (514135)

        The best is, not to listen/watch any of it at all. Including websites/blogs/etc.

        Says the AC posting on /.

    • by sdnoob (917382) on Tuesday November 20, 2012 @05:25PM (#42046807)

      at&t probably pursued and lobbied for charges to be filed so THEY look like the victim here instead of the people at the other end of those 110,000+ email addresses.

  • by Anonymous Coward
    Of another article with this comment [slashdot.org].
  • I thought there were whistle blower laws to shield people from these mishaps?

    Is it because he went to the media rather than the FBI? I'm genuinely curious as the article doesn't say much except that he's a "hacker" that downloaded a bunch of public web addresses that were easily predictable.

    • by stox (131684)

      AT&T wasn't breaking the law, whistleblower statutes do not apply.

      • by Mitreya (579078) <mitreya&gmail,com> on Tuesday November 20, 2012 @05:15PM (#42046673)

        AT&T wasn't breaking the law, whistleblower statutes do not apply.

        It must have. From TFA:

        One alleges that by being in possession of the e-mails from AT&Tâ(TM)s leaky system he handled 'identification information' in breach of a law intended to protect against identity theft,

        I am certain that laws protecting us against identity fraud mandate that the "identification information" is shielded from theft. AT&T has clearly failed to protect the information.

        • They're innocent until proven guilty, unfortunately they accidentally dropped a truck load of money in washington so the DOJ doesn't feel inclined to prosecute, therefore they weren't breaking the law and he gets no protections.

          Kind of messed up if you think about it; whistleblower laws only protect you if they were breaking the law, which means if they aren't convicted because of their highly paid legal team any whistleblower becomes fair game and totally screwed by said highly paid legal team. That law
      • by PhilHibbs (4537)

        A whistleblower is someone who tells the world about a problem that can't be resolved other than by publicizing it. A whistleblower isn't someone who exploits a vulnerability 110,000 times and publishes the private information gained by exploiting it. That is not legitimate white-hat whistleblowing. This is a person who leaked personal data, not a person who reported a leak.

    • by Desler (1608317)

      Because the laws are usually to cover employees from receiving reprisal from their employers whether private companies or the government.

  • by Anonymous Coward
    If you find a security hole, you don't need to exploit it 114,000 times. The Gawker story is incomplete and confusing, so I'm not sure what Weev did and what Goatse Security did. But to say "there was no illegal activity or unauthorized access" is plain silly.
  • like the Electronic Frontier Foundation worry that should that charge succeed it will become easy to criminalize many online activities, including work by well-intentioned activists looking for leaks of private information or other online security holes.

    The road to hell and all that.

    It's time for the geek to grow up and discover that life hasn't dealt him a Get Out Of Jail Free card,

    • by flyneye (84093)

      We should push for activists to be interned as thinktivists for a minimum of 4 years before engaging in any activity in support of a " cause".
      The prerequisite would demand a cause be examined from points of view other than the "cause" focused individuals involving themselves. This would enable a well rounded person to find solutions beneficial to all while bringing their goal to fruition. This new, well rounded "thinktivist" would then be allowed to replace the ineffective, greasy, dead head wannabees curre

  • by stox (131684) on Tuesday November 20, 2012 @05:00PM (#42046503) Homepage

    seem to be having increasing difficulty distinguishing the letter of the law versus the spirit of the law. Anything to add yet another successful prosecution to their resume with no concern as to the effects on others or the betterment of society.

    • Are you kidding me, that is WAY down the list

      Above it are things like:
      Can I get a conviction? This is pretty much the only performance metric for prosecutors. This includes taking into account how good a defense the accused can afford.
      Am I ordered to prosecute by my superior? Will I be fired if I refuse?
      Is there pressure from any groups to prosecute, just to harass the accused, even if the prosecution will fail, so in the future the group will help me [for example, the police force]?

      The 'for the love of

    • by jklovanc (1603149) on Tuesday November 20, 2012 @05:23PM (#42046785)

      Would you be saying something different if someone found a warehouse door open and reported it on a scrounger web site before they reported it to the owner of the warehouse? Data has value just like merchandise. The issue is not what they did but the way they did it. A true White Hat hacker would have told the company first and given them a chance to fix it before publicizing it.

      • by Mitreya (579078) <mitreya&gmail,com> on Tuesday November 20, 2012 @05:37PM (#42046977)

        Would you be saying something different if someone found a warehouse door open and reported it on a scrounger web site before they reported it to the owner of the warehouse?

        Neither of his charges is about publicizing the the info. I could probably get on board with that

        It seems that his charges are:
        1. "by being in possession of the e-mails from AT&Tâ(TM)s leaky system he handled 'identification information'"
        2. "case is based on the Computer Fraud and Abuse Act, which forbids 'unauthorized access' to a computer." (definitely the equivalent of being charged for trespassing)

        Show me which charge involves disseminating information on a scrounger website? Up to 5 years for trespassing in an open warehouse seems ridiculous (each charge carries up to 5 years)

        If he is guilty of publishing the info - let's see a law that charges him with disseminating "identification information". But trying to make marginally related things stick is very, very dangerous.

        • by jklovanc (1603149)

          Show me which charge involves disseminating information on a scrounger website? Up to 5 years for trespassing in an open warehouse seems ridiculous (each charge carries up to 5 years)

          How about burglary (1-20 years depending on state) and possession of stolen property (up to 10 years in Washington State) would be the similar charge. They could not disseminate the information if they did not have it. They didn't just trespass, they copied the information and took it away. The charge is not about disseminating the information it has to do the possession of the information. Had they not stored the addresses the problem would have been a lot less severe.

          • by Mitreya (579078)

            How about burglary (1-20 years depending on state) and possession of stolen property (up to 10 years in Washington State) would be the similar charge.

            Interesting point on possession of stolen property... Possession of copies of stolen property?
            But -- can you get charged with burglary if the door was open?

            • by jklovanc (1603149)

              Burglary [wikipedia.org] is the illegal entry into a building for the purposes of committing a crime, in this case the illegal copying of data, and need not include circumvention of security. They were not authorized to access the private server therefore the act was illegal. Locks are there to make crime more difficult; not to define what a crime is.

          • by mspohr (589790)

            I don't think he "stole" the email addresses. AFAIK, they are still in ATT hands. No theft, no possession of stolen property. No burglary.
            He copied stuff that was on a public web site. ATT probably didn't intend to make it publicly available, but that should be their problem, not his.

            • by jklovanc (1603149)

              This is where the modern age of data does not jive with the laws dealing with material goods.
              You are also confusing the analogy with the real life incident. The analogy refers to "theft" but the charges refer to "unauthorized access" and "illegal possession". Analogies are never perfect. The point is that the hacker was never authorizes to access or copy the information.

              It was also much different than being on a public web site. The hacker didn't just click on a link and have the data appear. He had to send

              • by deimtee (762122)
                Your claim equates to "typing an address directly into a browser is hacking* and you should only access the web by clicking on links."
                Tough luck if you click a malformed link and get the wrong thing back from a server, you're going to jail.

                *of the cracking type
                • by jklovanc (1603149)

                  If you click on the same link over 300000 times, record the results and publish them then yes you should go to jail. Once, probably not. In every law there is an intent clause. Clicking once could be an accident. Clicking 300,000 time shows intent. By the way, the mal-formed URL is the issue of the person who wrote the URL and maybe not the issue of the person who clicked on it. In this case the accused created a script to send hundreds of thousands of requests to the server. There was definite intent there

          • by chrismcb (983081)
            Apparently this is the MAIN thing he is being charged with:

            Weev and a fellow hacker who originally uncovered AT&T’s mistake and collected the e-mails didn’t ask the company for permission to access the Web addresses that shared iPad users’ private information. But those Web addresses weren’t hidden behind password prompts or any kind of protection – they were publicly accessible.

            Which looks like the equivalent of "trespassing". Kind of like entering an empty lot, that has no fences or signs, that is next to a public park.
            It means if you click on a random link you find, you could be arrested.

            • by jklovanc (1603149)

              Please read all the posts before responding. He did not click on a random link. He crafted a specific URL with possible phone IDs and sent them to the server. He deliberately was looking for the information. Most requests were securely locked down but he found one that was not. It is much closer to going around a building looking for an unlocked door. The difference between trespassing and burglary is that trespassing is mere presence while burglary requires intent to do a criminal act while on the property

    • by westlake (615356)

      Prosecutors, these days seem to be having increasing difficulty distinguishing the letter of the law versus the spirit of the law.

      The prosecutor has some discretion.

      But there are limits.

      He needs convincing and he tends to become cynical.

      He has heard it all before.

      The "spirit of the law" has to amount to something more --- much more, I afraid --- then the geek's self-serving plea that one of his own kind doesn't deserve to go to jail.

      ____

      The geek is the quintessential outsider.

      He ought to have learned by now not to rely on the kindness of strangers.

    • One thinks there must be more, some extortion or plan to misuse the info, that we aren't hearing about.

      On the other hand, these are the same people who try to get teens who send cell phone nude shots to each other registered as lifelong sex offenders who produced and distributed child pornography.

      Wrecking lives for a notch on the belt. So proud. Elect me!

  • by Hatta (162192) on Tuesday November 20, 2012 @05:04PM (#42046543) Journal

    Weev is a troll [encyclopediadramatica.se]. He's better known to /. as one of the "president" of the GNAA [wikipedia.org]. An all around unpleasant fellow.

    The unfortunate thing about this case is that Weev didn't actually do anything wrong here. AT&T published the email addresses, it should be AT&T facing prison time.

    • by NewWorldDan (899800) <dan@gen-tracker.com> on Tuesday November 20, 2012 @05:21PM (#42046757) Homepage Journal

      He did do something wrong here. Whatever his intentions, he was poking around AT&T's web server in a way he knew he shouldn't have been. Just because AT&T was wrong doesn't make him right. As an analogy, I often leave my car unlocked. If you take it, you're still a car thief, even if I should have taken better care of my car. In any event, you don't have to harvest 114k emails to demonstrate a problem.1 or 2 is adequate proof that there's a problem.

      • by quacking duck (607555) on Tuesday November 20, 2012 @05:31PM (#42046897)

        Better analogy is if you left confidential info clearly visible and readable in your car, and someone came along and saw it through the window, then told a nearby reporter about it, etc.

        This guy didn't steal AT&T, after all.

        Unfortunately, the car's owner is politically connected and his prosecutor buddy brings charges against you to cover up the owner's embarrassing blunder.

        • by jklovanc (1603149) on Tuesday November 20, 2012 @05:42PM (#42047079)

          Even better analogy;
          1.Leave confidential material in a folder in an unlocked room.(create an mechanism on the server to access info without proper security)
          2. Someone come along and search the room (make semi-random requests to the server)
          3. Copy the information in the folder (record the server responses)
          4. Publish where the room is, where the folder is and the contents of the folder. (put the server name, request format and received data out on the internet)
          A true White had would have told the company before publishing the breach and they would not have tried hundreds of thousands of requests. Just because there is not a lock on the door does not mean one can rummage through the room, copy the information and publish it.

          • by paulzeye (736282)
            I think a slightly better analogy would be if your unlocked room is in the middle of a public store and maybe hidden behind a clothing rack. The entrance is obfuscated but there are no signs saying no entrance.
            • by jklovanc (1603149)

              Then one is obliged to ask a store clerk if it is ok to go into the room. If someone went in that room and stole merchandise it would still be burglary.

          • by drinkypoo (153816)

            The problem with your analogy is that a public-facing web server is assumed to have public-facing information. Trying zillions of queries is a normal way to get the data you want out of the server in a format you want, like trying to convince Netflix to give you the views you used to be able to click to. (As an aside, appending &vt=tl to many URLs gives you the old list view...) There's a big difference between checking doors and checking URLs.

            I can agree, however, that he should have told the company a

            • by jklovanc (1603149)

              In every request he sent was the ID of a phone that he did not own. He specifically asked for information that he knew he had no right to. Also the URL he hit was not published and he had never used it before. He was not trying to get what he used to get but he was trying to get information he knew that was illegal to have. That he got it through an unlocked door make no difference.

        • by Anonymous Coward

          Better analogy is if you left confidential info clearly visible and readable in your car, and someone came along and saw it through the window, got out a cell phone and photographed the page, then turned the page and photographed the next page, over 100 thousand times, then told a nearby reporter about it, etc.

          You left out an important part, because intent matters. If they'd seen one or two e-mails and reported it, fine. Instead they put in a huge effort to create a database of such e-mails. Can anyone here honestly say that was done in good faith? Somewhere after collecting the first dozen, hundred, or maybe thousand e-mails they cross the line.

        • by isilrion (814117)

          Better analogy is if you left confidential info clearly visible and readable in your car, and someone came along and saw it through the window, then told a nearby reporter about it, etc.

          An even better analogy: you left confidential info *about me* clearly visible and readable in your car. I had trusted you to keep it secure and I had not noticed that you were failing to do that. He saw it, and let me know in the only way he could.

          I really can't understand all those "hacking victim" apologists (note the quotes). Currently it is illegal for me to accidentally discover that my bank/phone company/isp is leaking my information or allowing transactions in my name. Without that knowledge, I can

      • by grasshoppa (657393) <skennedyNO@SPAMtpno-co.org> on Tuesday November 20, 2012 @05:32PM (#42046915) Homepage

        The car analogy doesn't work here, as a website is inherently a publicly offered service, whereas your car is not. There really isn't a good analogy for this situation, as it doesn't really require an analogy in the first place.

        AT&T put private information on their public website. Mistake or not, their actions made the information public, not the defendant in this case.

        AT&T is obviously to blame here.

      • a better analogy would be - you are a valet and you left the cars unlocked. then someone told your boss that you do a shit job of valeting the cars. you then and go punch that someone in the face.

        Whatever his intentions, he was poking around AT&T's web server in a way he knew he shouldn't have been.

        the parallel of above is that the someone was looking at the cars parked in a private area. the valet company sells the idea that no one can do that (look at your car when it is parked with them) but then puts your car on the street.

      • by Amouth (879122)

        But taking your car would have deprived you of it. If you left the doors unlocked and i came by opened up and just took pictures of everything in your car without damaging or taking anything (but copying what i find) then I've taken nothing of yours, it isn't theft, and i have not broken and entered in any way.

        Trying to use a physical theft as an analogy for digital works doesn't work because they are not the same.

      • by Hatta (162192)

        As an analogy, I often leave my car unlocked.

        That analogy is so bad, it's dishonest. Your car is not a publically accessible communication system. AT&T's website is. Do you really think they're comparable? Seriously, shame on you.

  • Paul J. Fishman (Score:3, Informative)

    by Anonymous Coward on Tuesday November 20, 2012 @05:07PM (#42046579)

    I know little of the case, but it looks like this case is being brought by Paul J. Fishman, the U.S. District Attorney for New Jersey. According to Wikipedia (it's always correct), he used to work for Friedman Kaplan Seiler & Adelman. A firm that represented the Communication Workers of America. Not surprisingly, the CWA regularly deals with AT&T.

    Mr. Fishman was appointed by President Obama in 2009. If you don't like his actions, contact the Whitehouse and your representatives and let them know. Not that it'll matter, but maybe it'll make you feel better.

    Or if you'd prefer, you can always contact his office directly for more information on the case: http://www.justice.gov/usao/nj/contact.html [justice.gov] . Though, again, not that'll it matter.

    • by alexo (9335)

      If you don't like [...], contact the Whitehouse and your representatives and let them know. Not that it'll matter, but maybe it'll make you feel better.

      And that is the most accurate and succinct summary of our(*) representative democracy that I have ever seen.

      (*) I'm not from US but the situation in Canada isn't any better.

    • by Guru80 (1579277)
      In this day and age, it's a shame to say but going so far as to contact a congressman about anything you disagree with is probably just an excuse to add you to some sort of list to have your emails read and all that conspiracy crap. Not that contacting them about anything individually matters anyway. The only way it would even be noticed beyond a the standard generic form reply is if all of a sudden 10 million people emailed them.
    • According to Wikipedia (it's always correct), he used to work for Friedman Kaplan Seiler & Adelman. A firm that represented the Communication Workers of America. Not surprisingly, the CWA regularly deals with AT&T.

      I would like to meet the man or woman with a senior position in law, finance, tech or government who at one time or another hasn't been friend or foe and often both to AT&T.

      Hereabouts, you'll find them mighty thin on the ground.

      AT&T Inc. is an American multinational telecommunications corporation headquartered in Whitacre Tower, downtown Dallas, Texas. AT&T is the largest provider both of mobile telephony and of fixed telephony in the United States, and also provides broadband subscription television services. As of 2010, AT&T is the seventh largest company in the United States by total revenue, and the fourth largest non-oil company (behind Walmart, General Electric, and Bank of America). It is the third-largest company in Texas (the largest non-oil company, behind only ExxonMobil and ConocoPhillips, and also the largest Dallas company). As of 2011, AT&T is the 14th largest company in the world by market value, and the 9th largest non-oil company. It is also the 20th largest mobile telecom operator in the world, with over 100.7 million mobile customers.

      AT&T [wikipedia.org]

  • by Anonymous Coward

    If he would have done the right thing and sold the information to Chinese hackers they would have given him a little cash and no one would be getting sued.

  • According to the article attached to the summary, the way Weev accessed this information was typing in publicly accessible URLs. If that's the case, how in the world can he possibly be prosecuted for accessing a public website?

    Something seems to be missing here. I'm guessing there's more to this story than what is written in the article.

  • do you help yourself, tell the bank, or shout about it from the rooftops? Andrew Auernheimer shouted from the rooftops and deserves punishment.
    • by Mitreya (579078)

      if you saw an open bank vault ... do you help yourself, tell the bank, or shout about it from the rooftops? Andrew Auernheimer shouted from the rooftops and deserves punishment.

      1. Up to 10 years total seems a tad high, since we are talking about emails, not a bank

      2. He is being charged with "handling private data" and "unauthorized access" to a computer. Tell me which one of these charges is equivalent to the "shouting from the rooftops".

      If only his case involved charges such as "disseminating private information" or "promoting identity theft", but neither one of them looks like that.

    • ...is your analogy still stupid?

    • by stafil (1220982)

      do you help yourself, tell the bank, or shout about it from the rooftops?

      Out of curiosity, if somebody was shouting about it from the rooftops; what's the law he would be breaking in that case?

    • by BrookHarty (9119)

      Going to have to disagree, you can talk about anything you see in normally. If you opened the bank vault door first then yell its open, then you are guilty.

      This guy reported a hack he found poking around, that's a crime. If he reported a hack he found while doing normal transaction, then its not a crime. I think its pretty easy to tell the difference.. Buffer overflows and exploits are not normal transactions. This is what makes the difference between white and black hat hackers. White hat doesn't perf

    • It is hard to maker a good analogy and I find most of those posted far off the track.

      I see it differently: imagine a library. You know, books, of the paper variety. A lot of them, all available for public use.
      Somehow careless library management put in there their finance book. Someone found it and picked up for rental. Person at the checkout out did not object.

      It is negligence of the people who let the financial info get in the library, not the one who rented it.

  • I wonder how many of his defenders on Slashdot realize that this is Weev, the former president of the GNAA?

    Still, I'm impressed with Slashdot's integrity, for once. After ten years of crapflooding and trolling by the GNAA, I would have thought that Slashdot would be a bit more antagonistic toward him.

  • He's facing 2 charges:

    1) Violating an identity theft law by "being in possession of the e-mails." With no evidence that he planned to misuse the information.

    2) Violating the Computer Fraud and Abuse act via "unauthorized access to a computer". Even though the information was publicly available on AT&T's website (not behind any kind of protection, not even a password).

    I almost hope he's convicted on the latter charge; the publicity that will generate may lead to sane revision of these laws.

    • by Anonymous Coward

      "With no evidence that he planned to misuse the information."

      IRC logs clearly showed weev planned to misuse the information. It even included him talking about using the breach to manipulate AT&T stock...

      This indictment includes the IRC log excepts: http://www.scribd.com/doc/113664772/46-Indictment

  • Please, make sure the Jury knows about Jury Nullification. They can still declare him not guilty even if he technically broke the law. Juries are your protection against bad laws. Let them know it.

    IMarv

    • The big problem with this is that Judges tend to dislike Juries being notified of that right and tend to throw people out for even mentioning it in court.
  • I stumbled across this site when my father-in-law was pissing and moaning about how broke he is(111,000/year). It seems like the information here is far more dangerous than a bunch of leaked emails. Why is "free-speech" in this aspect protected, yet you can't publish a bunch of email addresses?
  • .... he was thoroughly ignorant of who owns AT&T --- had he been so, he would have approached things entirely differently (one hopes?).

    Americans are thoroughly idiotized today --- the vast majority are still to eff-tard stupid to understand we live in a corporate fascist state, and that it is by purposeful design that Americans are completely ignorant of the ownership of those ruling corporations (especially the banksters, oil companies, pharmaceuticals and weapons makers, etc.).

    Exactly why they

Computers will not be perfected until they can compute how much more than the estimate the job will cost.

Working...