This hacker might seem shady, but throwing him in jail is bad for everyone

198 pointsby Fourplealisover 11 years ago

14 comments

msandfordover 11 years ago

If you visit and internet cafe and someone's forgotten to log out of their bank account and you fiddle with it, that's probably a crime. Since in nearly all cases they probably didn't intend to do such a thing. We can surmise this by observing the banking website had a password to protect the account holder. This is evident by virtue of the "log out" link that's clearly visible and that the website is served over HTTPS and the normal convention that banking information is private.Now imagine that you come upon a computer and that you click on one of the favorites. It's a banking website. No password, no HTTPS, no access controls at all. Who is responsible for the security breach? You or the bank?I would argue that if there are no technological access controls in place, there is no such thing as "unauthorized access" You can't be unauthorized if there is no authorization. The default on the internet is "can access"They're prosecuting him for the digital equivalent of walking down a street and taking pictures of houses which don't display numbers on their mailbox.

评论 #6435002 未加载

评论 #6435769 未加载

评论 #6438644 未加载

评论 #6434945 未加载

austenallredover 11 years ago

Reading this article <a href="http://www.theverge.com/2013/9/12/4693710/the-end-of-kindness-weev-and-the-cult-of-the-angry-young-man" rel="nofollow">http://www.theverge.com/2013/9/12/4693710/the-end-of-kindnes...</a> makes me feel not too terrible that he's being thrown in jail.

评论 #6434919 未加载

评论 #6434812 未加载

评论 #6435083 未加载

评论 #6434866 未加载

评论 #6434792 未加载

评论 #6434804 未加载

评论 #6435098 未加载

评论 #6434873 未加载

评论 #6434916 未加载

评论 #6435424 未加载

评论 #6435206 未加载

评论 #6435135 未加载

评论 #6435013 未加载

评论 #6434857 未加载

nonce42over 11 years ago

It's worth reading the criminal complaint and indictment (<a href="https://www.eff.org/cases/us-v-auernheimer" rel="nofollow">https://www.eff.org/cases/us-v-auernheimer</a>) to get some background. In particular: the discussions of using the email addresses for a phishing scheme, using them for spam, shorting AT&T stock and profiting off the data release, setting up WiFi routers so they can blame it on a third party, discussing how this was a federal crime, and how to spin themselves as a legitimate security organization. These things make it really hard to view weev as a genuine security researcher who was prosecuted for no good reason.

评论 #6435336 未加载

评论 #6435152 未加载

评论 #6435645 未加载

biotover 11 years ago

Everyone throws out analogies about walking into unlocked houses and such. Those are fairly poor analogies, so let me offer one which I think is far better at conveying what really happens.Imagine you walked into a public library and struck up a conversation with the librarian:<pre><code> You: Can you tell me general information about this library? Librarian: Certainly, this library was built in 1990, has a million books on its shelves, and... You: What are the hours? Librarian: Monday to Saturday, 10AM to 8PM. Sunday, 10AM to 5PM. You: Frothy bacon generates utilitarian synapses! Librarian: I'm sorry, that's not really a proper question I can help you with. You: Can I borrow book identified by ISBN 4961357406830? Librarian: Sure, here you go. You: Can I borrow book identified by ISBN 6498794651315? Librarian: Sure, here you go. You: Can I borrow book identified by ISBN 9840546790354? Librarian: Sure, here you go. You: Can I borrow book identified by ISBN 3168706780943? Librarian: Sure, here you go. You: Can I borrow book identified by ISBN 7893781056145? Librarian: Sure, here you go. You: Can I borrow book identified by ISBN 2764894617987? Librarian: Sure, here you go. You: Can I borrow book identified by ISBN 9764660911970? Librarian: Sure, here you go. You: Can I borrow book identified by ISBN 6666666666666? Librarian: Sorry, that book doesn't exist. You: Can I borrow book identified by ISBN 8669177714641? Librarian: Sorry, you've been requesting too many books lately. You: Can you let me into the Staff lounge? Librarian: Sorry, you'll need to show me your staff credentials when asking. You: Can you provide me with a list of all employees and their salaries? Librarian: Sorry, you are not allowed to have that information. You: Can I use the general conference room on the third floor? Librarian: Actually, that was moved. It's now on the second floor. </code></pre> As you can no doubt see, these translate directly into HTTP requests:<pre><code> GET / 200 OK - This library was built in 1990, has a million books... GET /hours 200 OK - Monday to Saturday, 10AM to 8PM. Sunday, 10AM to 5PM. POST /frothy-bacon-generates-utilitarian-synapses 400 BAD REQUEST GET /books/4961357406830 200 OK - [contents] GET /books/6498794651315 200 OK - [contents] GET /books/9840546790354 200 OK - [contents] GET /books/3168706780943 200 OK - [contents] GET /books/7893781056145 200 OK - [contents] GET /books/2764894617987 200 OK - [contents] GET /books/9764660911970 200 OK - [contents] GET /books/6666666666666 404 NOT FOUND GET /books/8669177714641 429 TOO MANY REQUESTS GET /admin 401 UNAUTHORIZED GET /employees/salaries 403 FORBIDDEN GET /floor/3/conference 301 MOVED; Location: /floor/2/conference </code></pre> In both cases, we have a gatekeeper (librarian / web server) which is capable of responding to requests, can authorize various requests, can require credentials for sensitive requests, can limit the rate at which requests come in, can deny requests altogether, and can identify when requests for certain things have moved to new locations.The librarian is smart enough to not hand out things like access to the staff lounge, a list of employees and their salaries, or even things like an arbitrary library member's borrowing history. The web server has been configured to not hand out things like admin access or other things which are deemed sensitive, but the owners of the web server have taken the position "Well, nobody's going to be guessing ISBN numbers, so we'll let anybody on the internet request the contents of those books."When is the onus on the web server owner to configure their security properly? When is a "200 OK" response actually not okay? This is the "mind reader" aspect the article mentions.

评论 #6435416 未加载

评论 #6435164 未加载

评论 #6436000 未加载

评论 #6435622 未加载

评论 #6435181 未加载

评论 #6436586 未加载

评论 #6435536 未加载

评论 #6435365 未加载

评论 #6435630 未加载

评论 #6435192 未加载

评论 #6435425 未加载

评论 #6436627 未加载

usaphpover 11 years ago

Here is my analogy:1. You just finished your workout and went to a locker room at your gym (he went to a public website)2. You opened up your own locker and took your stuff from it (checked his account)3. You found out that very few people are using locks in the gym locker room (figured the account id in url )4. You know that it is not your belongings in other people lockers, but they are not locked just because people are just lazy or don't want to spend money on the lock (he knew that those accounts do not belong to him, and were accidentally not locked by by at&t)5. You decided if those lockers are not locked - that means that clothes inside of those lockers are public property and you can easily borrow them (tried to browser to other urls and get private account info)6. You go ahead and try opening every single locker in a room and put all the belongings you find in opened lockers on ebay to make profit and sell it, BEFORE letting know the owners or the gym that those belongings are not locked. (sold private data to somebody)I think thats not legal behavior, as long as you understand that the property you are taking is not yours - you are making a crime by taking it (stealing)

评论 #6435867 未加载

评论 #6436390 未加载

评论 #6438331 未加载

评论 #6437339 未加载

darklajidover 11 years ago

I know this is not a position people over here like to support, but..<pre><code> But this technique, known as "scraping," is surprisingly common among technologically sophisticated users and has a number of legitimate applications. To get a list of sex offenders, Poulsen wrote an automated program to search the Department of Justice Web site for each zip code in the United States and then save the name and address of each registered sex offender in that zip code to a file. </code></pre> Really? Really? That's a 'legitimate application'? Nevermind that the pure existence of that registry is a slap in the face for people with my understanding of Freedom and Liberty (in caps), scraping _that list_ is why we want to protect scraping? I haven't felt that disconnected to content on this site for a long time.<pre><code> Yet most people would agree that Poulsen's actions were a legitimate journalistic project. So we might want to be careful about subjecting this kind of technique to criminal penalties. </code></pre> Most people?? In what world?I'm sorry for the detour, but the whole article is trying to defend weev while linking to atrocious actions of that guy in the past and coming up with the most despicable (Thanks Hollywood, learned a new term) reason for scraping _ever_. Disgusting.

PhasmaFelisover 11 years ago

So does anyone know why exactly they weren't able to get Weev on criminal harassment? I wouldn't expect the gummint to fail to bring the charge unless they thought there was no hope of victory, but it seems like such a gimme.

评论 #6435180 未加载

JanneVeeover 11 years ago

It is annoying when people throw analogies around describe it to a highly technical audience. When is hacker news going to discuss the fact that User-Agent in the http header is not a security feature? When is the discussion that sequential id is equivalent to no security?No analogy in the world is going to change the fact that User-Agent checking and sequential id:s are not security features. And if courts are allowed to make them security features it is bad news for everyones security.

ajaysover 11 years ago

/u/biot's analogy is apt. But I don't understand why it isn't a defence that the HTTP protocol starts with a REQUEST . The server is the one who actually serves up the information.If I _request_ something from you ("hey, can I borrow your car?"), and you give it to me, then what's the problem here?

gwu78over 11 years ago

Kudos to the WP for ongoing coverage of this case. There are important issues being litigated here that could affect everyone, and I'd argue they are worth discussing without regard to this particular defendant and the sheer stupidity of his actions.However, I find WP's use of Poulson's activities as an example of "legitimate" automated HTML retrieval ("scraping") to be an odd one. It seems an awkward a comparison to convey what should be a simple point, in my opinion.How about something much more common? Googlebot. Imagine if we forbade Google from using automation and from scraping content and placing it in the Google cache. No more web search.Alas, because of the ad hoc nature of the Web (i.e., there is no unifiying organizational scheme for locating content across all websites as there would be in, say, locating content in a library of books), you cannot access Web content until you first discover it. In order to discover content, you generally have to search. In order to create an index and cache of content to search, someone has to scan/crawl/scrape websites. The later three are activities that are routinely automated. As such, they will violate many website Terms of Service and may get you banned simply for being "automated".In fact, to use Google as an example (not picking on them per se, it's just that they are a well-known example), crawling Google will "get you banned" from using Google, temporarily.The irony of this has always intrigued me: Google may crawl your servers, but under Google's policies, you may not crawl Google's servers.If I create an index of your website, at your expense (by aggressively running automated queries against your http server, as Google does, for example), am I obligated to share it with you?In any event, attempts to criminalize automation should raise red flags with anyone who is even slightly tech savvy.

评论 #6435736 未加载

mangomanover 11 years ago

I love the use of analogy to describe the situation to those who may not understand exactly what Weev did. But can we decide law simply on analogy? Which analogy is a more accurate tale of what Weev did? What I like about this article is it explains what Weev did and how incredibly common his techniques were, without too much analogy. Analogies may be much more effective, but a direct explanation feels a lot more genuine.

评论 #6435896 未加载

mabhatterover 11 years ago

government always prefers "shoot the messenger" to actual security. There should be literally be nothing illegal about what he did in that case. he didn't "hack" anything except HIS computer to pretend to be an iPad. And that would be the point of identifying it as a security concern. After all, if he had figured it out, surely the Russians and Chinese figured it out between when he did it and they prosecuted him... it doesn't make the hole go away!!!What he did is like sticking a GM car key into a Toyota. Generally that doesn't work, it shouldn't work... but what if it does anyway? shouldn't the company that makes the cars fix that?

hawleyalover 11 years ago

The information was public. He did nothing wrong.It is similar to accidentally posting all those email addresses on a bulletin board on the street and hoping no one reads them.

3327over 11 years ago

he is a hacker? He must be doing computer sorcery - off with his head.