Forgot your password?
typodupeerror
The Courts Security

'weev' Conviction Vacated 148

Posted by Soulskill
from the finally-drew-the-get-out-of-jail-free-card dept.
An anonymous reader writes "A few years back, Andrew 'weev' Auernheimer went public with a security vulnerability that made the personal information of 140,000 iPad owners available on AT&T's website. He was later sentenced to 41 months in prison for violating the Computer Fraud and Abuse Act (or because the government didn't understand his actions, depending on your viewpoint). Now, the Third U.S. District Court of Appeals has vacated weev's conviction. Oddly, the reason for the ruling was not based on the merits of the case, but on the venue in which he was tried (PDF). From the ruling: 'Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country's founding: venue. The proper place of colonial trials was so important to the founding generation that it was listed as a grievance in the Declaration of Independence.'"
This discussion has been archived. No new comments can be posted.

'weev' Conviction Vacated

Comments Filter:
  • To the point... (Score:5, Informative)

    by msauve (701917) on Friday April 11, 2014 @12:09PM (#46726913)

    Spitler was in San Francisco, California and Auernheimer was in Fayetteville, Arkansas. The servers that they accessed were physically located in Dallas, Texas and Atlanta, Georgia. Although no evidence was presented regarding the location of the Gawker reporter, it is undisputed that he was not in New Jersey.

    He was indicted and tried in NJ, despite none of the involved parties being located there.

    • by GPS Pilot (3683)

      The proper place of colonial trials was so important to the founding generation that it was listed as a grievance in the Declaration of Independence.

      weev is fortunate that, for once, a court gives a damn about what was important to the founding generation.

  • by korbulon (2792438) on Friday April 11, 2014 @12:15PM (#46726977)
    They invoked the writ of Copus Outus.
    • by krlynch (158571) on Friday April 11, 2014 @12:17PM (#46727007) Homepage

      Which is more officially the Doctrine of Constitutional Avoidance: http://en.wikipedia.org/wiki/C... [wikipedia.org]

      • Yeah, "Don't Make New Laws Unless You Have To" looks like copping out, but is actually something I completely support. When new laws are made, it usually just makes things more complicated, may create unintended/unforeseen consequences, and so forth.
        • by davecb (6526)

          Yup: excessive enthusiasm and pilpul don't make a good mixture.

          --dave
          [Hmmn, I'm thinking red/green/refactor may be something legal draftsmen may want to investigate. The conviction was RED, this is GREEN, a good case before a superior court would be the REFACTOR]

      • by korbulon (2792438)
        Even though there's a name and history for it doesn't make the ruling any more satisfying: "we're letting him go, but don't get the idea that we want to, it's just because we're not willing to make any sort of actual decision about it." But IANAL and all that shit, so what the hell does my opinion as a concerned citizen matter? Best to leave these sort of things in the hands of experts and I will get back to being a tiny gear.
        • Actually, the appeals circuit doesn't reevaluate the evidence of a case but merely whether the letter of the law was followed during the trial. If it wasn't, a new trial begins, and if it was, they may still appeal to a higher (supreme) court.
        • by c (8461)

          Even though there's a name and history for it doesn't make the ruling any more satisfying: "we're letting him go, but don't get the idea that we want to, it's just because we're not willing to make any sort of actual decision about it."

          If you actually read the ruling, footnote 5 strongly suggests that if they'd actually had to make a decision on the actual purported crime, they don't believe the government actually produced any evidence suggesting the New Jersey law was violated.

        • by Anonymous Coward

          What the appeals court said is that they could not rule on the merits of the case, as there were none. For them to rule on the merits of the case, it would have to have been properly tried. It wasn't, therefore, there are no merits at all. This is consistent with the "poisoned fruit" doctrine that leads all tainted evidence to be discarded due to having been obtained illegally, whether or not it's relevant.

  • What happens now? (Score:5, Interesting)

    by gnasher719 (869701) on Friday April 11, 2014 @12:22PM (#46727053)
    From Wikipedia: "Relief from judgment of a United States District Court is governed by Rule 60 of the Federal Rules of Civil Procedure.[1] The United States Court of Appeals for the Seventh Circuit noted that a vacated judgment "place[s] the parties in the position of no trial having taken place at all; thus a vacated judgment is of no further force or effect."[2] Thus, vacated judgments have no precedential effect.[3]"

    That seems to say that he is now in a legal position as if the trial had never taken place. So can he be taken to court in the proper place now?
    • From Wikipedia: "Relief from judgment of a United States District Court is governed by Rule 60 of the Federal Rules of Civil Procedure.[1] The United States Court of Appeals for the Seventh Circuit noted that a vacated judgment "place[s] the parties in the position of no trial having taken place at all; thus a vacated judgment is of no further force or effect."[2] Thus, vacated judgments have no precedential effect.[3]" That seems to say that he is now in a legal position as if the trial had never taken place. So can he be taken to court in the proper place now?

      INAL, but from my understanding of double jeopardy he could be retried. It appears to be a procedural error which would allow a retrial; in this case in the proper venue.

      • Re:What happens now? (Score:4, Informative)

        by bruce_the_loon (856617) on Friday April 11, 2014 @12:43PM (#46727303) Homepage

        If he is retried, he can bring into evidence footnote 5 on page 12 of the judgement where the judges advanced the opinion that he was innocent of the accessing without authorization or in excess of authorization charge because there was no password or code barrier and the program accessed a publicly facing interface and retrieved information that AT&T unintentionally published. It reads that even if they found the venue as correct, they would have vacated the guilty verdict because of that.

        • by Yebyen (59663)

          I haven't read the judgement (I am a good armchair lawyer though, have read lots of opinions and regurgitation of other peoples interpretation of the facts) but I am pretty sure that was a part of the New Jersey law, so in any retrial it would be irrelevant, since the standard is lower.

          It would have probably been better for Weev if AT&T's servers actually were in New Jersey, since then this judges would be forced to say what they think about the NJ law as it applies to this case, which is pretty clearly

          • by Shakrai (717556) *

            The password or code - there was no such barrier to access, so no illegal access through forged authorization occurred.

            He still could have been charged under CFAA, without the felony enhancement (or without it through some other requirement), or any one of a number of state-level computer trespass laws. My home state (New York) has a felony computer trespass law that would apply to the exact same crime committed within our jurisdiction, and Arkansas (weev's home state) has a similar statute.

            As a general rule of thumb the law is less concerned about the specific security measures bypassed and more concerned with whether or

      • by mmell (832646)
        Two factors - first, does prejudice apply, or was the conviction vacated without prejudice?

        Second - charges brought in New Jersey don't have any bearing on charges brought in California/Arkansas/(anywhere but New Jersey)? Different state, different state laws being applied, different crime being alleged. I doubt that the charges in California would specifically be about the 4,500 New Jersey residents whose personal information was compromised. If necessary, they could simply exclude that evidence as not

    • by Hentai (165906)

      Hmm. Overly-cynical thought:

      Convict him, put him in prison, let him start serving out his sentence, vacate conviction based on venue.

      Re-charge him in the proper venue, put him in jail without bail, let him stew for a few years. Then try him again, convict him again, put him in prison for a year or so again. Then vacate THAT conviction based on another technicality.

      Then re-charge him again, put him in jail without bail again, let him stew for a few more years while you set up a third trial. Then try him agai

      • Convict him, put him in prison, let him start serving out his sentence, vacate conviction based on venue.

        His lawyer should have protested the venue in the first place. That is my understanding of the situation.

        Either way I hope 'weeve' learned not to be a griefer. Otherwise he's just a jerk.

        • by MarkvW (1037596)

          You WAY off base. It's sad that you have been modded up.

          Venue not objected-to in the trial court is WAIVED. That means it can't be raised for the first time on appeal.

          If it could, lawyer's would be sandbagging potential 'venue do-overs' all the time.

        • by operagost (62405)

          He did. The motion was denied.

          The judge in that case should probably be censured.

      • by mmell (832646)
        Until somebody managed to get the sentence vacated with prejudice.
  • Of course (Score:2, Troll)

    by Vermonter (2683811)
    Of course they vacated his conviction based on the wrong venue instead of the merits of the case. This guarantees there is no controversy.
  • Interesting (Score:3, Interesting)

    by Capt James McCarthy (860294) on Friday April 11, 2014 @12:22PM (#46727063) Journal

    I never understood this. If you break up a rape and beat the crap out of the perpetrator, you are hailed a hero. But expose flaws and you are a criminal. I suppose it's not the crime they are exposing, but the tactics to obtain the information then? So the question would be do the ends justify the means? That would apply to all things governmental/commercial I suppose.

    • by bunratty (545641)
      You need to be very careful when doing security research. To expose a flaw in a security system, you often need to break the law, unless you have prior permission to expose flaws in a particular system. When I took Halderman's security class, he warned us that any student who broke the law would automatically get an F in his class.
      • Sometimes, laws need to be broken.

        Read that any way you want.

        • by bunratty (545641)
          I read that as saying that it's often the right thing to do to break the law. On the other hand, you can't expect no legal consequences because you did the right thing.
      • When I took Halderman's security class, he warned us that any student who broke the law would automatically get an F in his class.

        I think if you broke the law-- and he can't argue you broke the law unless you are convicted-- then getting an F is the least of your worries.

    • by sribe (304414)

      If you break up a rape and beat the crap out of the perpetrator, you are hailed a hero.

      That depends entirely on locale. Some prosecutors would go after you for the assault.

    • Weev did more than expose the security flaw. He ran a scheme to collect the email addresses behind the flawed security scheme, and collected over 100K of them. If he (and his partner) had stopped when the security flaw was discovered, then there would not have been a crime committed.

    • by Solandri (704621)
      To break up a rape, you you need to conduct assault and battery on the rapist. Things that are normally considered criminal, but not in the context of self-defense or defense of another.

      That's what's missing in the security front. If you're exposing the flaw in self-defense (your info is at risk) or defense of another (other people's info is at risk), you should be immunized against prosecution if you reveal the info in a reasonable manner. "Reasonable" can be defined in many ways, but probably someth
    • by MarkvW (1037596)

      It's more like writing an article in your local newspaper telling everyone who reads the paper just how they can steal all your neighbor's property without getting caught.

      At least that's my impression.

    • by adolf (21054)

      I was actually waiting for someone to bring up a rape analogy. Your analogy fails.

      If you break up a rape, you've done two things: Witnessed wrongdoing and attempted (succeeded?) in stopping it.

      If you pen-test someone else's network, you've done none of these things. Where's the witnessed wrongdoing? Where's the stopping it?

      In the first case, of course you are (or should be) a hero. But to extend your analogy, in the latter case, you're done nothing more than check every girl you can find to see if she'

  • Not Odd At All (Score:5, Insightful)

    by jratcliffe (208809) on Friday April 11, 2014 @12:27PM (#46727137)

    "Oddly, the reason for the ruling was not based on the merits of the case, but on the venue in which he was tried (PDF)."

    This isn't odd at all. If the venue was incorrect, then all the issues raised in the trial become irrelevant.

    Think of it this way: if he'd been charged with "being a Mets fan," and the appeal was based on (a) there's no law against being a Mets fan, and (b) the evidence that he was a Mets fan (a cap) was obtained through an illegal search, then whether or not the search was illegal would be irrelevant - he had broken no law, so the "conviction" would be tossed out.

    • by Yebyen (59663)

      ...except that the situation you just described is the opposite of what happened.

      The judges declined to give an opinion on whether or not any law was violated, they vacated the verdict in NJ because of a procedural violation that had taken place -- the venue the case was tried in was NJ, even though the events and parties (AT&T was not a plaintiff, so technically not a party... but the servers in question) were not any of them in NJ.

      • An opinion on the law being violated was given in footnote 5 on page 12 of the judgement. It suggests he is not guilty of the charge.

        • by Yebyen (59663)

          It suggests (by way that no evidence was offered) that he is not guilty of unauthorized use of a code or password, which means he's not guilty of violating the precedent for the statute in NJ. It gives no opinion on whether or not this has any bearing on the federal charge under CFAA. The precedent cited is another NJ case, where the person on trial was a police officer who had a password and used it for reasons against internal policy. There was no password, but I believe the standards of the federal CF

      • Bad example on my part, then. Point I was trying to get across is that, if there's a procedural reason to overturn a ruling, judges will always go that route rather than getting into the substance of the case, since the substance doesn't matter.

        • by Yebyen (59663)

          I'll try a car analogy. If you're trying to drive to New Jersey and you're starting your trip in Ireland, it's not important that you don't have EZPass or any American money to pay the tolls. There's too much water in your engine by the time you reach the shore, assuming you didn't just run out of gas on the bottom of the ocean. You didn't fail to pay the roadway tolls in Jersey, since you never were in the state of New Jersey. So you don't go to jail for that.

    • by Anonymous Coward

      "Oddly, the reason for the ruling was not based on the merits of the case, but on the venue in which he was tried (PDF)."

      This isn't odd at all. If the venue was incorrect, then all the issues raised in the trial become irrelevant.

      Think of it this way: if he'd been charged with "being a Mets fan," and the appeal was based on (a) there's no law against being a Mets fan, and (b) the evidence that he was a Mets fan (a cap) was obtained through an illegal search, then whether or not the search was illegal would be irrelevant - he had broken no law, so the "conviction" would be tossed out.

      It's a little more complicated than this. Part of the reason New Jersey was chosen is that they could tag a felony onto the case. So it would be like being charged for being a Mets fan, but you live in Arkansas, and the cap was found in Arkansas, but it's only a misdeanor in Arkasnas to be a Mets fan...so the trial was moved to Jersey where being a Mets fan is a felony.

  • From the decision: "To be found guilty, the Government must prove that the defendant (1) intentionally (2) accessed without authorization (or exceeded authorized access to) a (3) protected computer and (4) thereby obtained information." I haven't read this particular law, but I doubt that it has a provision that gives blanket immunity to government agents/employees. The minute you step over the line of unauthorized access to a computer (assuming you don't have a warrant), you've just committed a crime.

    Ooooo

  • by T.E.D. (34228) on Friday April 11, 2014 @01:25PM (#46727795)
    He wasn't kidding in the slightest about venue being a big issue in our break with Britain. You can find the issue at least alluded to as a grievance in just about any pre-war document. My favorite is Franklin's sarcastic Rules by Which a Great Empire May Be Reduced to a Small One [archives.gov]

    This King, these Lords, and these Commons, who it seems are too remote from us to know us and feel for us, cannot take from us ... our Right of Trial by a Jury of our Neighbours. ... To annihilate this Comfort, ... let there be a formal Declaration of both Houses, that Opposition to your Edicts is Treason, and that Persons suspected of Treason in the Provinces may, according to some obsolete Law, be seized and sent to the Metropolis of the Empire for Trial; and pass an Act that those there charged with certain other Offences shall be sent away in Chains from their Friends and Country to be tried in the same Manner for Felony. Then erect a new Court of Inquisition among them, accompanied by an armed Force, with Instructions to transport all such suspected Persons, to be ruined by the Expence if they bring over Evidences to prove their Innocence, or be found guilty and hanged if they can’t afford it.

    (emphasis his)

    • by Livius (318358)

      A wonderful ideal, but it did break down when a smuggler was tried with a jury of other smugglers.

      • by T.E.D. (34228)
        That was essentially England's argument in sending colonists over there for trial. Its tough to get a lot of convictions out of a colonial jury that thinks the law itself is stupid (and they had no say in it). Parliment also passed laws taking both the appointment and salaries of judges out of the hands of the colonies. That showed up as a grievance everywhere too.
  • I've been trying to find some sort of write up on what was exploited and how it was found.

    Does anyone know where to find any of this documentation?

    • by PRMan (959735) on Friday April 11, 2014 @03:04PM (#46728779)
      Basically, they tried to put an unlimited iPad SIM card in a PC. They disassembled the driver to find out how it authorized them and realized that there was no security, it just went to a hidden website. They went to the website and it didn't work but then they changed their agent string in their browser to impersonate an iPad. At that point, it showed him his account information. After that, they just incremented the number up and down and realized that it showed them EVERYONE'S account information.
  • If so, then I committed an unlawful act today. Did a Google, search, and soon I was reading a pdf file of section 9 of some code, but it referred to section 10. How do locate section 10? Oh wait - just increment the section number in the URL by 1. Oops - Federal prosecutors knocking on my door, ready to haul me off to NJ for trial. Dang.

Support bacteria -- it's the only culture some people have!

Working...