'weev' Conviction Vacated 148
An anonymous reader writes "A few years back, Andrew 'weev' Auernheimer went public with a security vulnerability that made the personal information of 140,000 iPad owners available on AT&T's website. He was later sentenced to 41 months in prison for violating the Computer Fraud and Abuse Act (or because the government didn't understand his actions, depending on your viewpoint). Now, the Third U.S. District Court of Appeals has vacated weev's conviction. Oddly, the reason for the ruling was not based on the merits of the case, but on the venue in which he was tried (PDF). From the ruling: 'Although this appeal raises a number of complex and novel issues that are of great public importance in our increasingly interconnected age, we find it necessary to reach only one that has been fundamental since our country's founding: venue. The proper place of colonial trials was so important to the founding generation that it was listed as a grievance in the Declaration of Independence.'"
To the point... (Score:5, Informative)
He was indicted and tried in NJ, despite none of the involved parties being located there.
Re: (Score:3)
The proper place of colonial trials was so important to the founding generation that it was listed as a grievance in the Declaration of Independence.
weev is fortunate that, for once, a court gives a damn about what was important to the founding generation.
Re: (Score:3)
Re: (Score:2)
The government argued that New Jersey was proper because 4,500 e-mail addresses were obtained from residents there. The authorities claimed that even if the venue was improper, is should be disregarded because it did "not affect substantial rights."
Re: (Score:2)
Re: (Score:1)
The decision explains: venue attaches to the location where the criminal acts were *committed*, not where the alleged victims resided.
Re: (Score:2)
Incorrect they found that the only venues for a crime are locations where essential elements occur. In the case of the parts of the CFAA violated that would either be the location of the hacker at the time of the hacking, or the location of the hacked machine at the time of the hacking.
Re: (Score:2)
Well, I was trying to keep it simple, but I don't think this Court of Appeals would agree with you. There is a significant discussion beginning at the bottom of page 14 that addresses, for example, whether the "locus of the effect of the criminal conduct" can confer venue. All this Court decided is that where there was no contact with the prosecutor's chosen venue (New Jersey) other than the alleged victims were located there, that venue was improper. The question of whether the site of the servers improper
Re: (Score:3, Informative)
Going a little further: the decision at the bottom of page 15 hints that the litmus test of whether venue would be proper where the server is located is whether there was "some sense of venue having been freely chosen by the defendant." Here, the defendant may not have even known where the server was located. (Do you know where all the servers you access are located when you're using the Internet?) I think the prosecutor would have to show that knowledge on the part of the defendant before he could show tha
Re:To the point... (Score:5, Informative)
Actually AT&T exposed the emails.
Comment removed (Score:5, Informative)
Re:To the point... (Score:5, Informative)
'deliberate actions' don't meet the definition of illegal behavior though.
They had to be 'accessed without authorization'. Sending different ICC-ID codes is NOT authorization. It's just a query. There was no actual authorization in place, and thus NO ACTUAL LAW WAS BROKEN.
Re: (Score:3, Interesting)
Re:To the point... (Score:5, Interesting)
Well, not me, but the appeals court certainly did.
This paragraphy is on page 10 of the ruling:
The charged portion of the CFAA provides that
“[w]hoever . . . intentionally accesses a computer without
authorization or exceeds authorized access, and thereby
obtains . . . information from any protected computer . . . shall
be punished as provided in subsection (c) of this section.” 18
U.S.C. 1030(a)(2)(C). To be found guilty, the Government
must prove that the defendant (1) intentionally (2) access
edwithout authorization (or exceeded authorized access to) a
(3)protected computer and(4) thereby obtained information
Then his paragraph is on page 12 of the ruling:
Because neither Auernheimer nor his co-conspirator
Spitler performed any “essential conduct element” of the
underlying CFAA violation or any overt act in furtherance of
the conspiracy in New Jersey, venue was improper on count
one.
I guess you're smarter than them.
Also, if passing a phone identifier to a query of a web server could access all this information, is that really a 'protected computer'? I'd say no.
Re: (Score:3, Insightful)
Re: (Score:1)
neither Auernheimer nor his co-conspirator
Spitler performed any “essential conduct element” of the
underlying CFAA violation
If that's not a 'not guilty' by a court that's not passing actual judgement, I don't know what is.
He did so by tricking AT&T's servers into thinking he was someone other than himself.
That doesn't mean UNauthorized.
he knew he wasn't entitled to access the information.
And yet there's no legal requirement for 'entitlement'. Just unauthorized access.
Again, there was no authorization process in AT&T's system, so he could NOT have accessed without authorization. AT&T's systems were set up with explicit full authorization in place. Everybody can access everything. Just enter the code.
Re:To the point... (Score:4, Informative)
neither Auernheimer nor his co-conspirator Spitler performed any “essential conduct element” of the underlying CFAA violation
If that's not a 'not guilty' by a court that's not passing actual judgement, I don't know what is.
Not that I have a particular opinion on the specifics of this case but I think you may have truncated that quote a few words to early
Because neither Auernheimer nor his co-conspirator Spitler performed any “essential conduct element” of the underlying CFAA violation in New Jersey, venue was improper
I read that to mean "no crime was committed in New Jersey" not "no crime took place".
Re: (Score:1)
Re: (Score:1, Troll)
Except that the law *requires* authorization be broken.
If your door is unlocked AND open, it's not B&E.
Uh, yeah, the law works perfectly pedantically. Sorry for your obvious ignorance.
Re: (Score:2)
Please let us know what authorization scheme was broken.
Or what AT&T put into place to ensure authorization was occurring.
Re: (Score:1)
So 'exceeding authorized access' isn't breaking access?
I said going through an unlocked AND open door wasn't B&E. Didn't mention trespassing or that it was legal.
Read again, illiterate fuck.
Re: (Score:3)
Re: (Score:2)
when I send a request to the server, I am knocking on your door. You can either tell me I am welcome, or you can refuse entry. If you tell me I am welcome then you cant also try and claim i accessd something without authorization because your server did authorize it
Re: (Score:2)
This is unsettled law. The CFAA is very vague, so judges have to interpret it, so it's unsettled. Saying it's the "geek perspecticve" is meaningless; expert opinion certainly matters here.
Until we get a Supreme Court CFAA case, we'll never really know what that stupid law means. Until we know what it means, overzealous prosecutors will be using it to bully people into accepting plea bargins or killing themselves. Aaron's Law appears to be dying in committee. It's a damn shame.
Think of the intent of the
Re: (Score:1)
You're seriously going to argue that even though he had to take deliberate steps to impersonate other people he wasn't accessing information "without authorization"?
No. But I am going to seriously argue that the server returning the information implies authorization.
And don't give us that "unlocked door" bullshit analogy. This is more like a crazy ex whom I forgot still has access to my house holding a garage sale while I'm out of town. It might be embarrassing to me that such a silly mistake on my part has harmed me so greatly, but that doesn't give me justification to go after the people that my crazy ex sold my stuff to. I go after the crazy ex. The fact that
Re: (Score:2)
The meat-space equivalent is something like reporter (who is not Bob's wife) calling a bar and saying, "I'm Bob's wife, is Bob there?"
That's unethical maybe, but not illegal. Why should it be illegal just because that's done electronically?
Re: (Score:2)
Re: (Score:2)
Keep in mind that all his script actually accessed was the login page itself, that the user agent string can be set to anything on any browser, and the request itself was no different from trying to access "http://the.site.com/p?000001" then "/p?000002"... etc. It didn't actually get to the *protected* data itself, and there isn't really any privacy interest or expectation in an email address itself, either.
Re: (Score:1)
Re: (Score:2)
In no way shape or form is a "Browser agent" a security measure. Identifying a user's browser agent is not, never was, and never will be a security or authorization method. If you do any web based testing, you can change your browser agent. It's the equivalent of telling another machine what kind of clothes you are wearing. "Hi! I'm wearing firefox 1.0 today." Then AT&T says, "Neat! Since you said you're wearing firefox, you get data we're legally not supposed to give you." Replace Firefox with your bro
Re: (Score:3)
You're seriously going to argue that even though he had to take deliberate steps to impersonate other people he wasn't accessing information "without authorization"?
Yes. "Without authorization" is more than "well I wasn't expecting him to ask that question!".
That's what this boils down to at the end of the day, he tricked AT&T's web servers into thinking he was an AT&T customer, and in so doing obtained access to information about that customer.
No, he sent a query to the webserver, and the webserver did what it was designed to do and answered it. AT&T was the one making the mistake by assuming that all trivially-correctly-formatted requests were from AT&T customers as opposed to actually checking whether the requester was - in fact - a customer (something they could've easily done!)
Then he wrote a script to automate the process and repeated it ~140,000 times.
Sure. So? It means he knows how to use 'seq' and 'wget'. Would it
Or in legal parlance (Score:5, Funny)
Re:Or in legal parlance (Score:5, Informative)
Which is more officially the Doctrine of Constitutional Avoidance: http://en.wikipedia.org/wiki/C... [wikipedia.org]
Re: (Score:3)
Re: (Score:2)
Yup: excessive enthusiasm and pilpul don't make a good mixture.
--dave
[Hmmn, I'm thinking red/green/refactor may be something legal draftsmen may want to investigate. The conviction was RED, this is GREEN, a good case before a superior court would be the REFACTOR]
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
If you actually read the ruling, footnote 5 strongly suggests that if they'd actually had to make a decision on the actual purported crime, they don't believe the government actually produced any evidence suggesting the New Jersey law was violated.
Not Quite (Score:1)
What the appeals court said is that they could not rule on the merits of the case, as there were none. For them to rule on the merits of the case, it would have to have been properly tried. It wasn't, therefore, there are no merits at all. This is consistent with the "poisoned fruit" doctrine that leads all tainted evidence to be discarded due to having been obtained illegally, whether or not it's relevant.
What happens now? (Score:5, Interesting)
That seems to say that he is now in a legal position as if the trial had never taken place. So can he be taken to court in the proper place now?
Re: (Score:3)
From Wikipedia: "Relief from judgment of a United States District Court is governed by Rule 60 of the Federal Rules of Civil Procedure.[1] The United States Court of Appeals for the Seventh Circuit noted that a vacated judgment "place[s] the parties in the position of no trial having taken place at all; thus a vacated judgment is of no further force or effect."[2] Thus, vacated judgments have no precedential effect.[3]" That seems to say that he is now in a legal position as if the trial had never taken place. So can he be taken to court in the proper place now?
INAL, but from my understanding of double jeopardy he could be retried. It appears to be a procedural error which would allow a retrial; in this case in the proper venue.
Re:What happens now? (Score:4, Informative)
If he is retried, he can bring into evidence footnote 5 on page 12 of the judgement where the judges advanced the opinion that he was innocent of the accessing without authorization or in excess of authorization charge because there was no password or code barrier and the program accessed a publicly facing interface and retrieved information that AT&T unintentionally published. It reads that even if they found the venue as correct, they would have vacated the guilty verdict because of that.
Re: (Score:2)
I haven't read the judgement (I am a good armchair lawyer though, have read lots of opinions and regurgitation of other peoples interpretation of the facts) but I am pretty sure that was a part of the New Jersey law, so in any retrial it would be irrelevant, since the standard is lower.
It would have probably been better for Weev if AT&T's servers actually were in New Jersey, since then this judges would be forced to say what they think about the NJ law as it applies to this case, which is pretty clearly
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Which is just what he didn't do, according to the opinion. I agree, this fact wouldn't be helpful to his case if he was tried in probably any other possible state, other than New Jersey.
Re: (Score:1)
Re: (Score:2)
One has to wonder then, whose idea it was to charge him in New Jersey at all...
If there's a precedent already in the state court that it's not unauthorized access if there's no code or password stolen... and there's a pretty clear argument that the case doesn't even belong in New Jersey, how did we get here? Some three years of incarceration later!
(Obviously, the answer is that it's not a crime if a cop does it.)
Re: (Score:1)
Re: (Score:2)
Re: (Score:3)
Hmm. Overly-cynical thought:
Convict him, put him in prison, let him start serving out his sentence, vacate conviction based on venue.
Re-charge him in the proper venue, put him in jail without bail, let him stew for a few years. Then try him again, convict him again, put him in prison for a year or so again. Then vacate THAT conviction based on another technicality.
Then re-charge him again, put him in jail without bail again, let him stew for a few more years while you set up a third trial. Then try him agai
Re: (Score:2)
Convict him, put him in prison, let him start serving out his sentence, vacate conviction based on venue.
His lawyer should have protested the venue in the first place. That is my understanding of the situation.
Either way I hope 'weeve' learned not to be a griefer. Otherwise he's just a jerk.
Re: (Score:2)
You WAY off base. It's sad that you have been modded up.
Venue not objected-to in the trial court is WAIVED. That means it can't be raised for the first time on appeal.
If it could, lawyer's would be sandbagging potential 'venue do-overs' all the time.
Re: (Score:2)
Re: (Score:1)
He did. The motion was denied.
The judge in that case should probably be censured.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
No - see the last paragraph in the post you're responding to.
Re: (Score:1)
Of course (Score:2, Troll)
Interesting (Score:3, Interesting)
I never understood this. If you break up a rape and beat the crap out of the perpetrator, you are hailed a hero. But expose flaws and you are a criminal. I suppose it's not the crime they are exposing, but the tactics to obtain the information then? So the question would be do the ends justify the means? That would apply to all things governmental/commercial I suppose.
Re: (Score:2)
Re: (Score:2)
Sometimes, laws need to be broken.
Read that any way you want.
Re: (Score:2)
Re: (Score:2)
Often, the legal consequences are what makes it so obvious that the law should be broken.
Re: (Score:2)
When I took Halderman's security class, he warned us that any student who broke the law would automatically get an F in his class.
I think if you broke the law-- and he can't argue you broke the law unless you are convicted-- then getting an F is the least of your worries.
Re: (Score:2)
If you break up a rape and beat the crap out of the perpetrator, you are hailed a hero.
That depends entirely on locale. Some prosecutors would go after you for the assault.
Re: (Score:1)
Weev did more than expose the security flaw. He ran a scheme to collect the email addresses behind the flawed security scheme, and collected over 100K of them. If he (and his partner) had stopped when the security flaw was discovered, then there would not have been a crime committed.
Re: (Score:1)
That's like arguing that a shoplifter took a knife, but didn't intend to stab anyone with it, so he's innocent. The illegal act was the collection of the email addresses that AT&T failed to properly protect.
Think of it this way: AT&T had a security plan (a wall) to protect a collection of email addresses (a pot of gold coins), and AT&T failed to notice that there was a security flaw (a hole in the wall). If Weev walked up to the wall and declared there was a hole there, that would have been lega
Re: (Score:1)
I don't think so. (That would violate the 1st amendment, as in free speech.) The crime would lie in running that code.
Re: (Score:2)
That's what's missing in the security front. If you're exposing the flaw in self-defense (your info is at risk) or defense of another (other people's info is at risk), you should be immunized against prosecution if you reveal the info in a reasonable manner. "Reasonable" can be defined in many ways, but probably someth
Re: (Score:2)
It's more like writing an article in your local newspaper telling everyone who reads the paper just how they can steal all your neighbor's property without getting caught.
At least that's my impression.
Re: (Score:2)
I was actually waiting for someone to bring up a rape analogy. Your analogy fails.
If you break up a rape, you've done two things: Witnessed wrongdoing and attempted (succeeded?) in stopping it.
If you pen-test someone else's network, you've done none of these things. Where's the witnessed wrongdoing? Where's the stopping it?
In the first case, of course you are (or should be) a hero. But to extend your analogy, in the latter case, you're done nothing more than check every girl you can find to see if she'
Not Odd At All (Score:5, Insightful)
"Oddly, the reason for the ruling was not based on the merits of the case, but on the venue in which he was tried (PDF)."
This isn't odd at all. If the venue was incorrect, then all the issues raised in the trial become irrelevant.
Think of it this way: if he'd been charged with "being a Mets fan," and the appeal was based on (a) there's no law against being a Mets fan, and (b) the evidence that he was a Mets fan (a cap) was obtained through an illegal search, then whether or not the search was illegal would be irrelevant - he had broken no law, so the "conviction" would be tossed out.
Re: (Score:2)
...except that the situation you just described is the opposite of what happened.
The judges declined to give an opinion on whether or not any law was violated, they vacated the verdict in NJ because of a procedural violation that had taken place -- the venue the case was tried in was NJ, even though the events and parties (AT&T was not a plaintiff, so technically not a party... but the servers in question) were not any of them in NJ.
Re: (Score:3)
An opinion on the law being violated was given in footnote 5 on page 12 of the judgement. It suggests he is not guilty of the charge.
Re: (Score:2)
It suggests (by way that no evidence was offered) that he is not guilty of unauthorized use of a code or password, which means he's not guilty of violating the precedent for the statute in NJ. It gives no opinion on whether or not this has any bearing on the federal charge under CFAA. The precedent cited is another NJ case, where the person on trial was a police officer who had a password and used it for reasons against internal policy. There was no password, but I believe the standards of the federal CF
Re: (Score:2)
Bad example on my part, then. Point I was trying to get across is that, if there's a procedural reason to overturn a ruling, judges will always go that route rather than getting into the substance of the case, since the substance doesn't matter.
Re: (Score:2)
I'll try a car analogy. If you're trying to drive to New Jersey and you're starting your trip in Ireland, it's not important that you don't have EZPass or any American money to pay the tolls. There's too much water in your engine by the time you reach the shore, assuming you didn't just run out of gas on the bottom of the ocean. You didn't fail to pay the roadway tolls in Jersey, since you never were in the state of New Jersey. So you don't go to jail for that.
Re: (Score:1)
"Oddly, the reason for the ruling was not based on the merits of the case, but on the venue in which he was tried (PDF)."
This isn't odd at all. If the venue was incorrect, then all the issues raised in the trial become irrelevant.
Think of it this way: if he'd been charged with "being a Mets fan," and the appeal was based on (a) there's no law against being a Mets fan, and (b) the evidence that he was a Mets fan (a cap) was obtained through an illegal search, then whether or not the search was illegal would be irrelevant - he had broken no law, so the "conviction" would be tossed out.
It's a little more complicated than this. Part of the reason New Jersey was chosen is that they could tag a felony onto the case. So it would be like being charged for being a Mets fan, but you live in Arkansas, and the cap was found in Arkansas, but it's only a misdeanor in Arkasnas to be a Mets fan...so the trial was moved to Jersey where being a Mets fan is a felony.
I hope you don't work for the NSA... (Score:2)
From the decision: "To be found guilty, the Government must prove that the defendant (1) intentionally (2) accessed without authorization (or exceeded authorized access to) a (3) protected computer and (4) thereby obtained information." I haven't read this particular law, but I doubt that it has a provision that gives blanket immunity to government agents/employees. The minute you step over the line of unauthorized access to a computer (assuming you don't have a warrant), you've just committed a crime.
Ooooo
Not just the Declaration (Score:4, Interesting)
This King, these Lords, and these Commons, who it seems are too remote from us to know us and feel for us, cannot take from us ... our Right of Trial by a Jury of our Neighbours. ... To annihilate this Comfort, ... let there be a formal Declaration of both Houses, that Opposition to your Edicts is Treason, and that Persons suspected of Treason in the Provinces may, according to some obsolete Law, be seized and sent to the Metropolis of the Empire for Trial; and pass an Act that those there charged with certain other Offences shall be sent away in Chains from their Friends and Country to be tried in the same Manner for Felony. Then erect a new Court of Inquisition among them, accompanied by an armed Force, with Instructions to transport all such suspected Persons, to be ruined by the Expence if they bring over Evidences to prove their Innocence, or be found guilty and hanged if they can’t afford it.
(emphasis his)
Re: (Score:2)
A wonderful ideal, but it did break down when a smuggler was tried with a jury of other smugglers.
Re: (Score:2)
Details on the exploit? (Score:2)
I've been trying to find some sort of write up on what was exploited and how it was found.
Does anyone know where to find any of this documentation?
Re:Details on the exploit? (Score:5, Informative)
Is It Unlawful To Increment A Number In A URL? (Score:2)
If so, then I committed an unlawful act today. Did a Google, search, and soon I was reading a pdf file of section 9 of some code, but it referred to section 10. How do locate section 10? Oh wait - just increment the section number in the URL by 1. Oops - Federal prosecutors knocking on my door, ready to haul me off to NJ for trial. Dang.
Re:sad day for those who don't like 4chan trolls (Score:5, Insightful)
Not liking someone isn't a good enough reason to put them in jail.
Usually. For now.
Re:sad day for those who don't like 4chan trolls (Score:5, Funny)
From a practical standpoint, it depends on who doesn't like him.
Re: (Score:2)
Thank you. I'll take the Score:5, but it wasn't meant to be funny.
Re: (Score:2, Interesting)
Not liking someone isn't a good enough reason to put them in jail.
Then why are people in jail for smoking pot, or being in the wrong location while black?
People go to jail all the time just because some idiot with power didn't like them.
Re: (Score:3)
Re: (Score:2)
Then why are people in jail for smoking pot, or being in the wrong location while black?
Wait -- back up. You know that one of those two things is actually on-the-books against the law and the other is not, right? I hope. Please?
Re: (Score:2, Insightful)
Re:sad day for those who don't like 4chan trolls (Score:4, Informative)
that the security measures were woefully inadequate is beside the point
On the contrary, we cannot have the law being abused to take the place of security. Too many people would fake the security and rely on the law to make it work. Too many are already doing exactly that. It's a costly and unreasonable burden upon the public. Pay for your own security. That includes designing a reasonable system, implementing it properly so that actually works, and performing tests and audits. Just because perfection is hard is no reason to excuse sloppy security work. DRM, for instance, fails the reasonability requirement. We have had our publicly funded police forces and courts misused to confiscate prescription drugs, improperly demand license fees from users rather than producers (SCO scared and bullied a few users into paying for a license to use Linux), and of course conduct a massive campaign to hold back technology in the name of stopping piracy. ISPs are pretty well free of being burdened with requirements to keep years and years of logs, for fishing expeditions, but there is still danger it could become the law.
It is also better not have doubt about whether some security effort was meant to be real but was bungled, or was indeed faked and, after being breached, is claimed to have been a real effort all along and therefore the breaches are worthy of prosecution. This is especially true on a system that is not experimental, but is instead an implementation of well known, effective methods. AT&T wasn't doing anything new, no, they just plain blew it. Saves us all a lot of time and money arguing over a pointless aside.
We even have cases of security law being gamed. We don't need someone setting up a honey pot to snare particular victims, then running to the law to complain that mean, bad people broke in, ask that the seeming perpetrators be thrown in prison, and kick back and watch as the full paranoia and wrath of the law is released upon their enemies.
Owners should install working locks on their doors and use them, not demand that the government spend enough money, no matter how much, to watch every door all the time because they can't be bothered to spend the trivial amount of money needed to have a working lock.
Re: (Score:2)
I'm a bit of a devil's advocate as I write this, but:
The law is already responsible for security. When I leave the cheap door locks on my house locked and the windows open (but locked, and because the weather is beautiful), and someone breaks in (by picking the lock, using a metal rod to bypass the locked window, a sledgehammer to knock the doorknob-lock off of the door, or just throwing a brick through the window), the crime is the same as if I had fancy Medeco deadbolts, high-security doors, wrought-iron
Re: (Score:2)
Microsoft makes an especially good example of the results of ignoring security for convenience. Does AT&T deserve leniency and approval for trying to make life convenient? Not when they could have easily had the same convenience with real security.
Why should the law jump when AT&T whistles? Consider this scenario. Alice leaves the door to her business unlocked, and the lights on, and Steve observes this. Steve sends a fake invitation to Bob for an after hours party at Alice's business. Bob g
Re: (Score:2)
yet doxxing someone and starting a campaign of threats isn't?
Re: (Score:2)
Re: (Score:2)