At that time some HN members, possibly some of the same ones here attacking this hacker (perhaps with good reason), defended the data-theft-for-profit actions of these companies.

These two positions are not consistent. People may wish to pick a side of this issue and stick to their position if they wish to be taken seriously, or frame a coherent argument why it is acceptable for corporations to engage in data theft from individuals but the reverse should be severely punished with prison time and other penalties.

Those who genuinely believe that weev should be prosecuted and imprisoned for his actions may wish to consider if the same call should be made for criminal proceedings against the larger scale and more clearly profit driven data theft actions taken by large and well funded companies such as Twitter, Path, Facebook, Apple, and many others.

Laws take into account indent (mens rea) and there is a lot of evidence in his indictment that he wanted to profit off this act. He shouldn't be compared to Aaron Swartz

He wasn't trying to profit from this. If that had been his goal, he would have been a lot more stealthy.

It's arguable that he had "cleaner" motives in his act than aaronsw -- some people say aaronsw wanted to release all the files he recovered to the Internet (although there's no proof of that); weev just wanted ATT to suck less.

weev has said things far worse than what's alleged in this case (that they wanted to compile a list and direct market the users); yet, if you judge him by what he's actually done, he's just an asshole at times, but basically reasonable. Fortunately just being an ass isn't a federal crime (although I guess conspiracy to be an ass is).

Perhaps it's true, but it's stupid and it's hard for me imagine anyone taking that explanation seriously, certainly prosecutors and judges.

If you walk into a bank with a gun and ask the teller for money, then say "just kidding", .... Good luck.

Weev has always taken anything and turned it into drama. That's the whole Internet Troll thing. A normal defendant wouldn't, when faced with a chance to reduce his sentence by 1-3 years by "accepting responsibility", post something like this to the press. It basically screams "upward departure" to a judge, while at the same time rallying people on the Internet, which doesn't really mean so much inside a federal ass-rape prison.

Whether this should be a felony should relate to how conspiratorial the intent and whether there's a reasonable expectation that the persons whose information is involved will be affected. It does sound like weev was doing something that would screw the AT&T customers involved -- a pretty nasty move.

I wish people could be a little more honest in the way they describe computer crimes. He knew or should have known that that api was not meant for public use. He is being punished for using it despite this knowledge.

And again, of wasn't just wrapping curl in a for loop. It was doing that with the knowledge that the target was not meant to be public, storing that information, and sharing it with the media.

Also, it wasn't murder, it was assault with a deadly weapon. The victim went on to make a full recovery but it was the defendant's third strike.

AT&T's intent isn't really relevant. The fact is, they published all of those emails publicly. They certainly didn't mean to, but I fail to see how accessing public websites can be considered a crime, even if you access lots of them when the company doesn't want you to. If I forget to close my blinds before having sex, that doesn't make anyone who walks by on the street and sees me a criminal. Nor are they criminals if they take a picture and post it on reddit. It's your job not to expose that material publicly if you want it to be private.

>storing that information, and sharing it with the media.

Neither of these are acts that should be considered criminal, just as the storing and uploading to reddit of an embarrassing photo is not criminal. Would it still have been criminal if he had passed the bash one-liner to the media, instead? What's the difference? The responsibility for the leak still resides with AT&T, and them alone.

Now, none of this is to say that I condone of weev's actions. I certainly would have handled the situation differently. But being rude and being a criminal are not synonymous.

In the meatspace it happens all the time that you can get in trouble for being somewhere you're not supposed to even if they forgot to hit the locks on the way out.

Or for a possibly more relevant example, what happens in real life if you find an ATM that has an error such that it gives you twice as much cash as you asked for? Is it still theft if you take it? (Hint: Yes)

Should that equate to a felony here, where no authentication shenanigans were employed? I don't think so, but I wish we'd quit with the victim blaming here on HN.

I also wish we'd separate the enforcability of something from its morality or legality. There's many, many minor things wrong that people can do that even the current state can't hope to fully enforce, but that doesn't make it right, it makes it a fact of life. But if you do somehow get caught doing something that 99% of the rest manage to get away with, shame on you.

By the way, that ATM example wasn't made up: http://investorplace.com/2012/11/faulty-atm-gives-out-extra-... (the Bank opted not to try to find out which customers took the money, due to the difficulty with getting accurate evidence, not because it was right to take the money)

That's definitely not legally true.

    wget http://example.com/?id={1..10}

In Texas, they don't convict homeowners who shoot trick or treaters trespassing on private property: http://wiki.answers.com/Q/In_Texas_can_you_shoot_someone_for....

Don't act so surprised and imposed upon that a culture that very much respects fences sees something wrong with intentionally poking your nose where it doesn't belong, online or offline.

Yes, the distinction is relevant. Taking photos of my wife in public and publishing them? Creepy but not illegal. Walking through my door (locked or unlocked, it doesn't matter) to take photos of my wife in my house? You're lucky if you don't get shot.

    The crime in question was accessing a computer system in an unauthorized fashion

You can't anthropomorphize the web server like that. You cannot say this guy reasonably inferred that AT&T intended him to have access to these e-mail addresses. It's a dumb piece of equipment--a broken door lock. An unlocked door does not mean you are invited to come in.

Now the server provider is responsible for having not adequately secured the customers information, and the guy who asked for that information is responsible for what he does with that information. What I won't accept is that you criminalize the mere request for said information and the retrieval of whatever response is returned.

Certainly hacking, and given that he doesn't work for, or is associated with AT&T - some type of criminal trespass - but, we're talking community service here, not a felony. Slap the hand, don't cut it off.

I would hope we can all agree that there is a pretty big difference between a pervasive attack where someone spear-phishes a user inside a company, plants a trojan, and uses that to acquire sensitive intellectual property for financial gain, and/or do damage - versus what weev did - trying some pretty obvious numbers on the public website with an iPad user agent.

I agree, but he's not being charged with felonies for simply poking around. He's being charged with felonies for what he claims he was going to do with the information.

The defense seems to be that he wasn't actually going to do that, but it's the ___domain of the jury to decide his intentions based on his actions.

When you send packets to an internet-connected device, and that device sends some packets back to you, that is not "trespass". You haven't "gone" anywhere, and you certainly didn't cross any "property lines". Much in the way that the copyright mafia wants to redefine "piracy" from "murder and plunder on the high seas" to "listening to a friend's MP3", numerous other bad people will be thrilled when the public accepts "SYN,SYN-ACK,ACK" as a new meaning of "trespass".

Please clarify. Are you trying to say that there exists any justification for this idiotic Texanity? Because there isn't, and therefore you can't logically use it to justify this other unjustifiable thing.

Also, sending packets to an internet-connected device, and then reading the packets it sends back to you, is in no sense "trespassing". Trespass is being physically present in a physical ___location in which you aren't welcome. You can't trespass while you're physically in your mother's basement. Please don't mangle the English language.

http://arstechnica.com/apple/2011/01/goatse-security-trolls-...

If accessing published information (and incrementing a number in an url cannot be considered breaking in ...) is against the law, there is something terribly wrong with the law.

That said if he tried to use the data to extort money from AT&T that would of course be a criminal offense (even if the "intent" was robinhoodian).

To illustrate with an analogy: If someone takes a picture of a hapless drunk girl dancing topless in a bar (AT&T), that is not criminal. If this person approaches the girl and asks for money to delete the incriminating pictures, that is extortion. If the person sells the picture to an interested third party, this might constitute the case for a civil lawsuit (see the texxxan case...)

In any case no special laws are needed for judging behaviour in the virtual world.

This is exactly the same thing that was thrown at Aaron, even if you don't find the target as sympathetic.

"He that would make his own liberty secure, must guard even his enemy from oppression; for if he violates this duty, he establishes a precedent that will reach to himself." -Thomas Paine

"Auernheimer then helped Spitler refine his script to harvest a large number of valid e-mail addresses of iPad 3G users, suggesting that a huge data set would be needed to "direct market iPad accessories" or start a "future massive phishing operation," noting that the data breach would be "huge media news."

This might be offensive, juvenile, or unfunny, but it's nothing remotely close to criminal. The feds took a private IRC log out of context and pasted it into the indictment.

This is not what the prison system exists for, and we are all worse off for using it this way.

Really, if you confess to a crime, and then turn around and say "ha ha, only kidding!" don't be surprised if people find it hard to trust anything you say.

Note: I'm taking what you've said here at face value and otherwise know very little about this case.

Do you guys always know the full story behind the news and comment accordingly? If you do based on the articles you read around, I want to remind you that in Aaron's case what you could read about the case was less than half the truth and there are still things we're not sure.

Unless you know something everyone else doesn't then what is published about the Schwarz case is on the record and in the books. So you're saying that the prosecutors were correct in the charges they brought?

It's really not that hard to compile a list of email addresses from a public API in a way that doesn't violate the law.

That should be "intent", fyi. Legal code is not nearly as whitespace-sensitive as is Python.

I did this because I despised Guido van Rossum, whom I think is unjustly beardy[1], and wanted to embarass him.

I was convicted of two consecutive five-year felonies, and am now awaiting sentencing.

[1] https://dl.dropbox.com/u/14204175/screencaps/AwesomeRossum.j...

All this guy did was exploit publicly available information. It seems the US is now sending people to jail for pointing out other peoples stupidity. Sure he probably went too far with the whole, "I want to embarrass AT&T thing" but trolling is not hacking and it's not like Andrew had to bypass any form of security to get the info in the first place.

Anyone would swear this guy found a way to steal credit card details...

What he did is no different to someone writing a script that scours the web looking for email addresses (a tactic spammers have used and gotten away with for years), except no trickery was required to get the addresses AT&T were handing them over unknowingly without recourse. This can't even be considered a hack, more of an exploit if anything.

The stupidity of wanting to embarrass was no doubt a really stupid move to make, but definitely not some security defying hack. People shouldn't be jailed for acting like idiots, AT&T should be the ones being scalded for allowing this to happen in the first place. A company has a responsibility to keep customer data safe, AT&T should be no exception to that rule.

Edit to add: The law is structured this way for a very specific reason--to account for human error. What if I always lock my front door, but this morning I was in a hurry and forgot? Should I give up all rights of private property because of this error? Obviously not, which is why someone walking into my house through my unlocked door would still be a crime (trespassing, at least). If they took anything, it would still be stealing--even though one could argue that if I "really" didn't want anyone to take my stuff, I would have locked my door.

We all know how hard it is to properly write totally secure web services. We read about the failures every day. The question, then, is similar. Should the rights of people and companies be completely dependent on their ability to write invulnerable code? I would submit that that is not a sustain way for the law to operate.

Note that I'm not addressing weev's case specifically, as I'm not familiar enough with the details. Just addressing the general case.

You and me would both be alarmed if someone entered our house after we forgot to lock the door, but I wouldn't consider that persons entry into my house a crime in itself (obviously, its probably still a crime whether I agree or not). Do you forfeit rights to your private property for forgetting to lock your door? Not at all. If you wake up in the middle of the night and someone is in your house, and you shoot them, you did nothing wrong. Whether or not you locked the door, your life is at risk if you assess the situation incorrectly (goes for daytime too). When that person entered into somebody else's house uninvited, they made a decision to subject themselves to your discretion.

> If they took anything, it would still be stealing--even though one could argue that if I "really" didn't want anyone to take my stuff, I would have locked my door.

They would be wrong telling you that you forfeited your rights to your belongings for not locking your door. If that were the case, nobody would be obligated to pay for anything at the grocery store or mall.

> Should the rights of people and companies be completely dependent on their ability to write invulnerable code?

It is up to you to defend your rights, nobody else. If you are going to offer a service and want to protect the server, data, code, licenses, etc.. the burden is on you to protect it through whatever means you see fit. It is no one else's job to protect your product.

> I would submit that that is not a sustain way for the law to operate.

The reason for that may be because we shouldn't rely on the law to prevent a crime aside from being a visible deterrent. The purpose of law should be to enforce civil agreements when a crime is committed. If someone causes financial damage to your property, what good does it do to put that person in jail? Wouldn't a better solution be to have your property returned or receive financial compensation equivalent to the value of what was taken/damaged?

"On 20 November 2012, Auernheimer was found guilty of one count of identity fraud and one count of conspiracy to access a computer without authorization. Auernheimer tweeted that he would appeal the ruling."

Is the problem that the laws themselves are terrible, or that the laws are being misused by overzealous prosecutors? I mean, if changing a public URL is considered "conspiracy to access a computer without authorization"... Or is this just not the full story, and he really was trying to do some "bad" stuff?

But if not: what can be done to change the law? Is appearing "soft on hacking" such a bad idea that politicians just won't support something better? Or is it really difficult to craft laws that actually do criminalize "bad" activity, without also technically criminalizing innocent activity?

What can be done?

There is a line of thinking in the tech community that accessing data you're not supposed to access is only "bad" if you do something "bad" with it. But in meat space, we enforce fences in their own right, whether or not there is any other criminal activity involved. Arguably, doing so makes the larger problem of ensuring that their isn't associated criminal activity more tractable.

Actually, real world example: over the weekend someone stole my phone out of my (unlocked) car while it was parked in my apartment building's garage. Now, let's say he hadn't stolen the phone. Just rifled through the glove box and center console. No harm no foul, right? Of course not. We presume there is no good reason to be looking through someone else's car, even if you fully intend not to take anything.

Now, that doesn't mean we should treat digital boundaries the same as physical ones, but I don't think it's as obvious as some people in the tech community make it out to be that there shouldn't be penalties (of some sort--the magnitude of such penalties is a whole another debate) for intentionally violating digital boundaries, regardless of how well they are protected.

That's an easy one! Just get congress to pass a law granting you retroactive immunity for breaking the law. http://www.guardian.co.uk/commentisfree/2012/oct/10/supreme-...

That was his admitted rationale - that he was seeking to embarrass people he despised because they were "unjustly wealthy?"

Obviously pure speculation (mixed with cynicism) recalling this story of the email harvesting I have no problems imagining a conversation like this occurred:

PR Flack: "Sir, we had a little PR snafu today and millions of email addresses of paying customers were exposed."

CEO: "So what?"

PR Flack: "Well it looks bad sir."

CEO: "Fine, shitcan some 50K a year nerd in one of data centers and then issue a press release indicating how seriously we take customer privacy".

No weev, you found a bug in their web app, then _YOU_ willfully published other peoples personally identifying information for your own fame and glory. Unfortunately, someone who's name and details you leaked didn't like that, and called in a favor. The DoJ came after you hard.

Your little tech crunch article chooses to omit crucial facts, and you are riding on the back of AAron Swartz again. You are nothing like AAron.

Right now the URL I'm looking at has "id=5095821" in it. If I change that to "id=5095822", I'm looking at something else published by Hacker News. But by DoJ standards, I'm "hacking" and have broken the law if HN didn't deliberately publish it.

weev is an ass. But he didn't hack anything.

These cases are trying to set a standard of "security by intent". There is no such thing. It's like my internet banking saying "To access your bank account, please type in your account number. Be careful to get it right or you'll be looking at someone else's account"

It's not the world's greatest hack, but it certainly was using the system in a manner that I'm certain AT&T did not intend. The IRC logs indicated that they knew what they were doing was likely criminal, and if AT&T discovered them, would "sue" them.

Whereas I'm guessing PG would be fine with you incrementing the number on the HN URL. And I'm pretty certain that's not criminal behavior.

It's important to note, that just because weev was hacking the AT&T site, didn't mean it was a criminal hack. In my mind it barely crosses the line - and he gets punished somewhat, but I'm thinking a week in jail and 30 days community service - not the silly levels that the feds are going to in this case.

Keep in mind - 99% of the population wouldn't have been able to figure out how to spoof the user-agent to get into the AT&T site, and most of those that could, wouldn't have gone beyond extracting a couple IDs, and then notifying AT&T.

Weev's sin (if not felony behavior) was extracting 100,000+ personal email addresses, and the exposing them for the sheer purpose of embarrassing people he despised. Do I believe he engaged in illegal behavior? Yes. Do I believe it merits years in Jail? No.

With regards to legal obligations - In California, the closest I can find is Bus. & Prof. Code §§ 22575-22578 [1]. It is a requirement for site collecting personal information to "conspicuously post its privacy policy on its Web site"

I can't find any laws in California that require the securing of this information beyond that, though.

[1] http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc...

lets say you exploit that bug in the internet banking application and you access my account.

Then you start logging into other peoples accounts and copying their address, balance, transaction lists.

Then you publish all this information you have stolen and say "Oh dont use internet bank -- they don't protect your private information"

the bank should have done better to protect that information, granted, but you have also performed an unethical and criminal act by publishing this information.

both the bank and the person that leaked that information should be punished.

Real people were hurt here by having their PII exposed. Don't forget that.

That's because you didn't want to be friendly. You wanted to be hard. You wanted DoJ. Now you will be forced to want class action suit from your customers and bankrupcy.

I would hope that if you discovered a vulnerability in one of my web applications you would contact me first and allow it to be resolved. Might even be lucrative for you.

If you used that vulnerability to steal my database and publish it to the public ___domain -- when it has no place in the public ___domain, i would expect the DoJ to hunt you down.

I never said anything about not being friendly. But if you are playing with peoples identities, their lives, this is not friendly at all.

Once you contacted vendor it's not safe to go the pastebin route. So it becomes an unfeasible solution.

On the other hand, try to "hunt down" a pastebin post original author. It would be the last of your worries.

Also the quoted article does not appear to show considerable insight on internet security.

Sheer directory traversal should never be considered a criminal act.

Of course if they had followed through with the stock manipulation, this would warrant criminal punishment.

Although of course stock manipulation is only punishable if you're not a bank or hedgefund which is sad.

Later in the chat, another user says that weev should post the leaked data to a public mailing list, and weev says no because that could potentially be criminal.

If so, why didn't weev just show law-enforcement - maybe with press present? Why not stage it so, that it is a deal between you and a press-outlet, a live showing of the problem, with a DA (or police/FBI, what ever) present?

I know, it only works, if the API, making personal-email-addresses public was illegal. But if so, he would have shamed AT&T, he would have "normal" people caring, not only the internet-bubble and he would be relatively save in terms of legality. Or wouldn't he?

Government, and the laws that are drafted, will not make the internet more secure. My general feeling is that laws against hacking will only result in a less secure internet. This, in turn, will lead to more laws against hacking. And so on...

in one way it is no different than AT&T posting all the emails in a public webpage!

I think AT&T must be sued for poor security