Now imagine that you come upon a computer and that you click on one of the favorites. It's a banking website. No password, no HTTPS, no access controls at all. Who is responsible for the security breach? You or the bank?
I would argue that if there are no technological access controls in place, there is no such thing as "unauthorized access" You can't be unauthorized if there is no authorization. The default on the internet is "can access"
They're prosecuting him for the digital equivalent of walking down a street and taking pictures of houses which don't display numbers on their mailbox.
This is really the main point to me and I'm really confused as to how the law doesn't agree with this. How can you claim unauthorized access to something when there are no systems in place to grant or deny authorization? Comparing this to walking into someone's home who left the door unlocked (as someone in this thread has done) is bogus to me. Private property is private property and social norms (as well as the law) dictate that you don't just stroll into someone's home even if the door is open. The internet does not work that way and never has.
Except in many cases the private property is being made accessible. Imagine going to an open house and the owner accidentally left the basement unlocked. You open the door and walk down, then get arrested for breaking and entering.
That can be construed as impersonation without unauthorized access, which is in some jurisdictions is illegal.
But that is not what AT&T did, which is more like a open brothel with conference rooms and private bedrooms. They just let in anyone that looked in one type of attire, and had some numbered badge come into one of the reserved conference rooms. IoW, the security person did not ask for ID, or a password to enter. The fault lies on the brothel, not the visitor. For all we know, anyone could have come in looking with that attire, and a matching badge out of coincidence (maybe there was a costume party, who knows, still the brothel did not do a good job of securing the reserved conference rooms).
> No password, no HTTPS, no access controls at all. Who is responsible for the security breach? You or the bank?
The bank, they are not complying with the legal statues, and more than likely violating their own privacy policy, if any exist.
> I would argue that if there are no technological access controls in place, there is no such thing as "unauthorized access" You can't be unauthorized if there is no authorization. The default on the internet is "can access"
That is correct. In that analogy, it would be an open business, like store or malls. It follows jurisdictions of private properties, with some business statues, but overall, since it is an open-doors business, there are no authorization requirements.
> They're prosecuting him for the digital equivalent of walking down a street and taking pictures of houses which don't display numbers on their mailbox.
No. Like in the example above, they are charging him of wearing an attire with a numbered badge, and coming into the reserved conference room, and learning the attendants names or addresses (which should not be there in the first place, esp. with no security protocols). The worst they can charge him is for impersonation. However, what can incriminate him is if the pages he visited clearly displayed or linked the Term of Services or EULA, which does detail this scenario, and he violated it in some way.
Or is it like walking into someone's private home because they left the door open? Or merely unlocked?
The law likes to operate on analogies, because analogous situations are ones for which we have precedent, and precedent makes the law predictable. The sad thing is, precedent goes back to the pre-computer era, too, and isn't necessarily overturned just because new technology with new social expectations is involved. Maybe in a couple generations.
Well it was right in the same store you invited me in to! There was no sign or lock or anything saying not to look at the shelf.
This was a PUBLIC website... you are supposed to be able to visit it. If you make a request to a server without providing authentication and it returns data, that is not your fault. That is what you are SUPPOSED to do to servers. If it asks for authentication and tells you you are unauthorized, but you brute force the password or find an exploit, then THAT is a crime. There was not authentication in this case.
I think the way I would go about arguing against it is that people on the street/sidewalk have no expectation of privacy. There are literally no access controls of any kind. Anyone can walk on the street; billionaires and homeless alike. There are no societal conventions that privacy is assured on the street and if you end up in someone else's picture it's your fault, not theirs.
Houses are not the street. They are private property. We do have a reasonable expectation of privacy there (NSA notwithstanding) and a part of privacy is access control. So the right of the owner of a house to control access to his house is fairly well understood and accepted even in the case where a house might be unlocked or a door left open.
The real question is this: Is the internet like the street or a house? The answer, in my opinion, is that "it depends" because websites can act both ways depending on how they are designed and implemented.
HN is basically a street in that it has no access controls to view content. Very nearly every page on HN can be accessed by the public (linked to or not) without being logged in. The URL of your comment is https://news.ycombinator.com/item?id=6434945 for which I didn't have to type in a password. What about comment https://news.ycombinator.com/item?id=6434944 or https://news.ycombinator.com/item?id=6434946? Should they be "protected" by virtue of them not being displayed on the webpage right now?
My credit union's website is a bit of public street and a lot of house. I can view their promotional materials without any authorization but in order to get to the good stuff I have to enter both a username and a password, then pass a captcha. That is an access control.
What is the case with the AT&T website? Did they do anything to secure the content with a technological access control like a username/password? Did they filter the service such that the webservice would only return an email address if it was accessed by the same MAC address of the iPad that was sold to the customer? No, they did none of these things. Their only "access control" was a user-agent string which isn't guaranteed ANYWHERE to be accurate.
EDIT: changed a couple of words
It's more like if you were to walk into a retail establishment where the employees left the door unlocked after heading home for the day.
You can't buy anything because the cash register is locked, and taking something would clearly be stealing, but if sign posted says "we're open", can you be faulted for looking around?
BANG. Jail Time.
I still bailed him out of jail for the time leading up to and during his trial. Why? Because UNPOPULAR SPEECH SHOULD NEVER BE CRIMINAL, no matter how revolting. Indeed, it is the unpopular and revolting stuff that needs the most defending:
"The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all." —H.L. Mencken
If I were to threaten to murder you, you wouldn't expect the police to say "Eh, nothing we can do, he's got a right to free speech. Call us back after he shoots you, you'll have a case then."
William Roper: Yes, I'd cut down every law in England to do that!
Sir Thomas More: Oh? And when the last law was down, and the Devil turned 'round on you, where would you hide, Roper, the laws all being flat?
FTA: "His rise as a folk hero is a sign of how desensitized to the abuse of women online people have become," Sierra said. "I get so angry at the tech press, the way they try to spin him as a trickster, a prankster. It’s like they feel they have to at least say he’s a jerk. Openly admitting you enjoy ‘ruining lives for lulz’ is way past being a ‘jerk’. And it wasn’t just my life. He included my kids in his work. I think he does belong in prison for crimes he has committed, but what he’s in for now is not one of those crimes. I hate supporting the Free Weev movement, but I do."
She is so much better person than I am.
Which is why he was convicted of. Harassment laws could also be implemented, depending on the jurisdiction.
When we want weev free, we're fighting for law and society, for just principles, not for the individual.
If they want to charge him under any other numerous crimes (data theft, attempted extortion, being an asshat) then I wouldn't have a problem with it either because those are things he's guilty/might-be-guilty of.
Hacking and violating the CFAA is not one of his crimes.
If weev harassed this woman in the manner described in the article you reference, he probably should be prosecuted for that. But it's not ok for prosecutors to put him in jail for something that should be perfectly legal, just because they can't (or didn't) put him in jail for something else.
It has the form of an outrage article without any actual content, as if someone fed Tumblr and Vice magazine into a Markov text generator.
In any case, that is very typical IRC conversation for a large portion of that subculture. They joked about doing these things, but they didn't actually take steps to do them. He considers himself a satirist, so it's not much different than some comedians talking nonsense over beers and having it show up in an indictment.
One of the chatters observing said they should post the list to full-disclosure. Weev replied saying "no, don't do that, its potentially criminal." He then talked about how he gets to spin it in the media and he's won. That says pretty clearly that he was only out to make a scene, which is what he has always done.
Also, Weev himself says that he is unwilling to short AT&T's stock - I think he understood the ramifications that would have.
Imagine you walked into a public library and struck up a conversation with the librarian:
You: Can you tell me general information about this library?
Librarian: Certainly, this library was built in 1990, has a million
books on its shelves, and...
You: What are the hours?
Librarian: Monday to Saturday, 10AM to 8PM. Sunday, 10AM to 5PM.
You: Frothy bacon generates utilitarian synapses!
Librarian: I'm sorry, that's not really a proper question I can help
you with.
You: Can I borrow book identified by ISBN 4961357406830?
Librarian: Sure, here you go.
You: Can I borrow book identified by ISBN 6498794651315?
Librarian: Sure, here you go.
You: Can I borrow book identified by ISBN 9840546790354?
Librarian: Sure, here you go.
You: Can I borrow book identified by ISBN 3168706780943?
Librarian: Sure, here you go.
You: Can I borrow book identified by ISBN 7893781056145?
Librarian: Sure, here you go.
You: Can I borrow book identified by ISBN 2764894617987?
Librarian: Sure, here you go.
You: Can I borrow book identified by ISBN 9764660911970?
Librarian: Sure, here you go.
You: Can I borrow book identified by ISBN 6666666666666?
Librarian: Sorry, that book doesn't exist.
You: Can I borrow book identified by ISBN 8669177714641?
Librarian: Sorry, you've been requesting too many books lately.
You: Can you let me into the Staff lounge?
Librarian: Sorry, you'll need to show me your staff credentials when
asking.
You: Can you provide me with a list of all employees and their
salaries?
Librarian: Sorry, you are not allowed to have that information.
You: Can I use the general conference room on the third floor?
Librarian: Actually, that was moved. It's now on the second floor.
GET /
200 OK - This library was built in 1990, has a million books...
GET /hours
200 OK - Monday to Saturday, 10AM to 8PM. Sunday, 10AM to 5PM.
POST /frothy-bacon-generates-utilitarian-synapses
400 BAD REQUEST
GET /books/4961357406830
200 OK - [contents]
GET /books/6498794651315
200 OK - [contents]
GET /books/9840546790354
200 OK - [contents]
GET /books/3168706780943
200 OK - [contents]
GET /books/7893781056145
200 OK - [contents]
GET /books/2764894617987
200 OK - [contents]
GET /books/9764660911970
200 OK - [contents]
GET /books/6666666666666
404 NOT FOUND
GET /books/8669177714641
429 TOO MANY REQUESTS
GET /admin
401 UNAUTHORIZED
GET /employees/salaries
403 FORBIDDEN
GET /floor/3/conference
301 MOVED; Location: /floor/2/conference
The librarian is smart enough to not hand out things like access to the staff lounge, a list of employees and their salaries, or even things like an arbitrary library member's borrowing history. The web server has been configured to not hand out things like admin access or other things which are deemed sensitive, but the owners of the web server have taken the position "Well, nobody's going to be guessing ISBN numbers, so we'll let anybody on the internet request the contents of those books."
When is the onus on the web server owner to configure their security properly? When is a "200 OK" response actually not okay? This is the "mind reader" aspect the article mentions.
1; DROP TABLE books; --
Including ones like:
1 AND ("1" = SUBSTRING(select social_security_number from employees where employee_name = 'Angela Smith', 1, 1))
You can use variations on this to...
a) Ask our librarian for a series of about 50 books and hear whether or not she has them in stock.
b) Read Angela Smith's Social Security number right out of the database.
There apparently exist a lot of people on HN who would prefer to think that, despite my near-magical ability to correctly divine the SSN of any employee (or any other piece of data in the DB) with a SQL injection attack, the fact that I'm just looking at a book listing page in a totally authorized fashion means I must not be doing anything wrong.
To repurpose his analogy, if you sneak into the staff room and the librarian doesn't notice and doesn't stop you, you can't use that to say it must have been okay.
You: Can I have this book?
Worker: No, sorry, not allowed.
You: It's ok, the boss said so.
Worker: I don't think so.
You: We're friends, right? You don't say no to your friends, do you?
Worker: Well, ok, I guess you can have it.
In normative arguments, analogies are used to bend reality to make your position seem reasonable regardless of whether or not it actually is. It would be better to judge weev's case on it's own merits rather than try to justify a position using increasingly complex analogies.
This doesn't always work (particularly not for truly disruptive technical or social changes), but it's a pretty good way of doing it.
The problem here is that AT&T employed a human being to design an automated system who didn't know enough about the automated system to ensure that it was correct. And then this automated system did exactly what it was told to do and made AT&T look bad.
But the fact that the code running on the webserver didn't reflect the intent of some AT&T exec or their company policy isn't the fault of those accessing the webserver. It's AT&T's fault for doing a really terrible job of QA/QC on their own systems prior to a really big launch.
> When is the onus on the web server owner to configure their security properly? When is a "200 OK" response actually not okay? This is the "mind reader" aspect the article mentions
This is why the laws usually care about the intent. It's a combination of the action and the reason that's important (which is why there's a difference between murder and manslaughter).
There are no hard and fast rules, and there simply cannot be.
Weev clearly knew that AT&T shouldn't be handing over the information. He wasn't there saying "Wait, this isn't a normal service?".
> The librarian is smart enough to not hand out things like access to the staff lounge, a list of employees and their salaries, or even things like an arbitrary library member's borrowing history.
If the librarian didn't know to restrict access to salary information, lets say the managers thought that if you knew the SSN that was enough of an ID to get access, and you repeat the example, it becomes a bit more clear how intent is important.
You: Can I have the salary of IanCal?
Recep: Sure, it's £X
You: Hmm, hey Dave, I think there's a security issue here, mind if I know your salary?
Dave: Sure, it's £Y
You: Can I have the salary of Dave?
Recep: Sure, it's £Y
You: Best go tell the managers.
You: Can I have the salary of IanCal?
Recep: Sure, it's £X
You: Hmm, hey Dave, I think there's a security issue here, can you generate SSN numbers?
Dave: Yeah I think so
You: Can I have the salary of SSN#1
Recep: Sure, it's £Y
...
You: Can I have the salary of SSN#147934
Recep: Sure, it's £Y
You: Hahahahaha, let's give all the info to a news site, bet you'd make money shorting the stock!
I've been trying to think of a proper analogy to changing your user agent. Wearing a fake mustache and requesting information from someone publicly giving information to only mustachioed persons?
You: Can I borrow the book identified by ISBN 1234?
Librarian: We restrict access to that book to only people who will read it with our page turning machine.
You: Can I borrow the book identified by ISBN 1234? I am using your page turning machine now.
Librarian: Sure, here you go.AT&T should be rightly mocked for their poor security, but weev wasn't just stumbling through data, he'd made good attempts to impersonate the setup the server wanted. He'd put a pair of glasses and a funny moustache on and the server was alright with it, which is definitely ridiculous.
1. You just finished your workout and went to a locker room at your gym (he went to a public website)
2. You opened up your own locker and took your stuff from it (checked his account)
3. You found out that very few people are using locks in the gym locker room (figured the account id in url )
4. You know that it is not your belongings in other people lockers, but they are not locked just because people are just lazy or don't want to spend money on the lock (he knew that those accounts do not belong to him, and were accidentally not locked by by at&t)
5. You decided if those lockers are not locked - that means that clothes inside of those lockers are public property and you can easily borrow them (tried to browser to other urls and get private account info)
6. You go ahead and try opening every single locker in a room and put all the belongings you find in opened lockers on ebay to make profit and sell it, BEFORE letting know the owners or the gym that those belongings are not locked. (sold private data to somebody)
I think thats not legal behavior, as long as you understand that the property you are taking is not yours - you are making a crime by taking it (stealing)
It also wildly disconnects around point 6. You make it sound like he stole everything that the users had in the accounts. In reality, he just copied their info. He didn't give himself anything from their accounts, like transferring credits to give himself free cable or something like that. Instead of stealing everything and selling it on eBay, it was more like him going through people's lockers, taking a picture of what they have inside, and then selling the pictures.
But this technique, known as "scraping," is surprisingly common among
technologically sophisticated users and has a number of legitimate
applications.
To get a list of sex offenders, Poulsen wrote an automated program to search the
Department of Justice Web site for each zip code
in the United States and then save the name and
address of each registered sex offender in that
zip code to a file.
Yet most people would agree that Poulsen's actions
were a legitimate journalistic project. So we might
want to be careful about subjecting this kind of
technique to criminal penalties.
I'm sorry for the detour, but the whole article is trying to defend weev while linking to atrocious actions of that guy in the past and coming up with the most despicable (Thanks Hollywood, learned a new term) reason for scraping _ever_. Disgusting.
No analogy in the world is going to change the fact that User-Agent checking and sequential id:s are not security features. And if courts are allowed to make them security features it is bad news for everyones security.
If I _request_ something from you ("hey, can I borrow your car?"), and you give it to me, then what's the problem here?
However, I find WP's use of Poulson's activities as an example of "legitimate" automated HTML retrieval ("scraping") to be an odd one. It seems an awkward a comparison to convey what should be a simple point, in my opinion.
How about something much more common? Googlebot. Imagine if we forbade Google from using automation and from scraping content and placing it in the Google cache. No more web search.
Alas, because of the ad hoc nature of the Web (i.e., there is no unifiying organizational scheme for locating content across all websites as there would be in, say, locating content in a library of books), you cannot access Web content until you first discover it. In order to discover content, you generally have to search. In order to create an index and cache of content to search, someone has to scan/crawl/scrape websites. The later three are activities that are routinely automated. As such, they will violate many website Terms of Service and may get you banned simply for being "automated".
In fact, to use Google as an example (not picking on them per se, it's just that they are a well-known example), crawling Google will "get you banned" from using Google, temporarily.
The irony of this has always intrigued me: Google may crawl your servers, but under Google's policies, you may not crawl Google's servers.
If I create an index of your website, at your expense (by aggressively running automated queries against your http server, as Google does, for example), am I obligated to share it with you?
In any event, attempts to criminalize automation should raise red flags with anyone who is even slightly tech savvy.
It looks like some of their site can be crawled and some not, that's how robots.txt has worked for a long time:
What are you suggesting?
You are welcome to critique, not harass⸮:
What he did is like sticking a GM car key into a Toyota. Generally that doesn't work, it shouldn't work... but what if it does anyway? shouldn't the company that makes the cars fix that?
It is similar to accidentally posting all those email addresses on a bulletin board on the street and hoping no one reads them.