Prosecutors Admit They Don't Understand What Weev Did, But They're Sure It's Like Blowing Up A Nuclear Plant
from the wtf? dept
We’ve been covering the ridiculous DOJ case against Andrew “weev” Auernheimer for quite some time. If you don’t recall, Auernheimer and a partner found a really blatant security hole on AT&T’s servers that allowed them to very easily find out the email addresses of iPad owners. There was no breaking in to anything. The issue was that AT&T left this all exposed. But, with a very dangerous reading of the CFAA (Computer Fraud and Abuse Act) and a bunch of folks who don’t understand basic technology, weev was sentenced to 3.5 years in jail (and has been kept in solitary confinement for much of his stay so far). Part of the case is complicated by the fact that weev is kind of a world class jerk — who took great pleasure in being an extreme online troll, getting a thrill out of making others miserable. But that point should have no bearing on whether or not exposing a security hole, by basically entering a URL that AT&T failed to secure, becomes a criminal activity.
Throughout the case, it’s been clear that the DOJ was trying to make up an interpretation of the law that had no basis in the actual technology world. And it became abundantly clear at a hearing before the appeals court concerning weev’s case, that the DOJ really has no idea what weev did. They’re just sure it’s bad because it involves computers and stuff. Seriously, as reported by Vice:
“He had to decrypt and decode, and do all of these things I don’t even understand,” Assistant US Attorney Glenn Moramarco argued.
Say what? If that’s the basis for being declared a felon and locked up for 3.5 years, almost everyone is a felon. It’s likely that under that “standard” Moramarco himself is a felon, because I’ll bet he “decrypts and decodes and all of these things he doesn’t understand” on pretty much a daily basis. But, a tip to the US Attorneys’ office: when prosecuting a computer crime, you might want to at least try to have someone who actually understands the fundamental basics of what the person you’ve locked up has done.
But, Moramarco apparently doesn’t want to let his complete ignorance of what actually happened (someone putting a URL into a box and seeing the page that AT&T failed to secure) to get in the way of insane hyperbole about what he thinks weev did:
In its opening statement, the government made an incendiary comparison that seemed to reflect the nature of its understanding of the crime: the prosecution compared Auernheimer’s deeds to hackers “[blowing] up a nuclear power plant in New Jersey” in an attempt to illustrate how it was a relevant venue.
Yes, apparently exposing the fact that AT&T left its customers’ info wide open to anyone is the equivalent of blowing up a nuclear power plant. Yikes.
As the article notes, much of the hearing actually focused on the question of venue, and it appears that weev may get off on something of a technicality. Prosecutors had moved the case to New Jersey for no known reason and so it may get rejected for being the improper venue, which potentially could mean that the appeals court never even addresses the issue of just how badly the DOJ twisted the CFAA to bring down weev. The judges appear to be considering this, as they noted that based on the details of the case, there was no apparent connection to New Jersey and no reason why the DOJ couldn’t have brought the case anywhere (one judge apparently mentioned Hawaii).
The case is important because of all the CFAA abuse we’ve seen by the DOJ over recent years, and now it sounds like the appeals court may be able to just skip over that issue entirely. Given the DOJ’s own admissions of its lack of understanding about weev’s actions, that actually might be the best thing for the DOJ, allowing it to continue to make completely bogus CFAA arguments to take down technologically sophisticated people that the DOJ doesn’t like and doesn’t understand.
Filed Under: andrew auernheimer, cfaa, computer hacking, doj, glenn moramarco, security holes, trolls, venue, weev
Companies: at&t
Comments on “Prosecutors Admit They Don't Understand What Weev Did, But They're Sure It's Like Blowing Up A Nuclear Plant”
“He had to decrypt and decode, and do all of these things I don’t even understand,” Assistant US Attorney Glenn Moramarco argued.
It seems technology is not the only thing he fails at understanding considering the judicial process and the law enforcement side screw ups.
“[blowing] up a nuclear power plant in New Jersey”
It could be a reasonable comparison.
Let’s be realistic here. How bad would it be to blow up a nuclear power plant in New Jersey? I mean you can’t even buy a Tesla there anymore.
Ignorance is bliss. I’m surprised the DOJ didn’t throw weev in a pond, to see if he sinks to the bottom or floats, as part of their CFAA test.
IOW
“I am an idiot,” Assistant US Attorney Glenn Moramarco argued.
Someone please
How in the nine circles of hell is that considered an admissable, non-inflamatory comment?
Re: Someone please
because Terrorism!
Re: Re: Someone please
…Then why isn’t Moramarco in jail? Moramarco just incited terrorism!!!
Re: Re: Re: Someone please
Because Terrorism!
(That’s always the right answer these days.)
Re: Re: Re:2 Someone please
http://www.youtube.com/watch?v=0YOh-rpvjYg
Re: Someone please
the prosecution compared Auernheimer’s deeds to hackers “[blowing] up a nuclear power plant in New Jersey” in an attempt to illustrate how it was a relevant venue.
How in the nine circles of hell is that considered an admissable, non-inflamatory comment?
Because the defense attorney was not smart enough to object?
Re: Re: Someone please
Maybe he was too busy trying to pick his jaw off the floor after hearing such an insane, over the top accusation.
But yeah, the defense attorney should have objected very loudly, and very clearly, over such a blatant attempt at poisoning the jury against his client by comparing his action to something that’s not even remotely similar.
No known reason?!?!?
Of course it’s known – they obviously chose New Jersey because that’s where the nuclear powerplant that he didn’t blow up is!
Granted I don’t know how to code. But if you are going to make comparisons, wouldn’t a valid nuclear plant comparison be that he was showing them where their security holes so they can place a guard in that area?
Re: Re:
No coding necessary to do what he did.
Re: Re:
Somewhat like the power plant leaving the doors open to the storage area with all of the fuel rods and he pulled up in a truck, took a big pile of them, and then proceeded to park in front of the power plant security gate and hold up a sign that said “free fuel rods”.
Except with less chance of radiation sickness.
Re: Re: Re:
Thanks!!
Re: Re: Re:
Better, but still a faulty analogy. To get the fuel rods, you’d have to trespass. Weev didn’t even do that.
Re: Re: Re: Re:
The power plant warehouse has a window fronting the street, where you can get your daily fuel rod by saying your name. He said his name, got his fuel rod, then started to say a bunch of random names and got theirs too. Then he parked in front of the security gate.
Re: Re:
Imagine a whole neighborhood of houses. The power company tells you that they put a note on your door telling you when your power would be out. On that note, you realize that they put your name, address, phone and SSN.
You then decide to go to your next door neighbor’s house. You see that his name, address, phone and SSN are posted on his door too. You then realize that you could go around the neighborhood and get anyone’s full contact information.
So you go on a blog and say “The Power Company are idiots. They exposed everyone’s data. What a bunch of stupid fools!”
Then they arrest you (for 3.5 years and put you in solitary) for breaking into every house in the neighborhood, even though all you had to do was go to every address and look at the posting on the front door.
The prosecutors then say that because of your awesome B&E skills, you could have just as easily broken into the nuclear power plant and caused a meltdown.
Remember…
…the definition of ‘hacking’ has been updated.
hack, verb
1. to cut and clear (a way, path, etc.), as through undergrowth
2. to cough in short dry spasmodic bursts
3. to manipulate a computer program skilfully, esp, to gain unauthorized access to another computer system
4. to use a computer in a way that observers do not fully understand or do not like
Re: Re:
Re: Re: Re:
FTFY
Re: Re:
And this is why, when I find security holes, the very LAST thing that I do is mention them to the responsible party. I don’t work for them. I don’t owe them anything. And chances are good that if I try to help them out, they’ll respond by calling the feds.
So screw that. I keep them to myself and enjoy a good chuckle when days or years later it turns out that someone else found the same holes and exploited them.
I’m sure I’m not the only one doing this. The aggregate effect, of course, is that it makes the Internet less safe for everyone. But I’m not going to risk being the next weev. Not worth it.
So when you read about the next seventeen security breaches involving data loss incidents, you might wonder how many of those could have been avoided if unethical lying incompetent computer-illiterate assholes like Glenn Moramarco weren’t given the power to destroy lives.
Re: Re: Re:
“The aggregate effect, of course, is that it makes the Internet less safe for everyone. But I’m not going to risk being the next weev. Not worth it”
If you really want to do a public service and alert companies and people to software vulnerabilities you’ve found, there are numerous ways to do that anonymously. You don’t have to risk a thing.
Re: Re: Re: Re:
Yeah, you could even do it anonymously using the username “weev”.
Re: Re: Re:2 Re:
you could drop the info from seven proxies on a message/image board dedicated to computer security from a public computer requiring no login.
Re: Re: Re:3 Re:
or google groups/usenet, some people still participate in those believe it or not
Re: Re: Re:
The danger is what you noted of this persecution. Uncovering and reporting a security hole should never be a crime. There are too many websites with serious security problems. Unfixed holes create too much risk for innocent users being harmed.
Re: Re:
if you change rule 4 to be more generic,
4. to use a SYSTEM in a way that observers do not fully understand or do not like
then we can encompass judges and lawyers as Hackers of the legal system
"Ignorance of the law" by the prosecutor
Jurors are picked to have no knowledge of the subject of a
trial but if the judge and the prosecutor lack knowledge as
well then what purpose is the trial ?
“Ignorance of the law” by the prosecutor ought to be grounds for a
case to be dismissed if we had a system whose aim is Justice instead
of prosecutorial head count !
That is one of the functions of Jury Nullification. But
both judges and prosecutors try hard to prevent jurors
even hearing about that.
Re: "Ignorance of the law" by the prosecutor
I fully support that notion. If the prosecution doesn’t even understand what is being prosecuted, how can there be a case?
so, who actually brought the case for prosecution? i am assuming it was AT&T? if that is the case, i sincerely hope there is something further wrong with what they have for a website, it is found but not (obviously after this episode) reported and proves to be rather costly for AT&T.
the really sad thing is that in return for exposing the flaw, people have been reported to the authorities by the company concerned. instead of holding up hands and getting all embarrassed, they have crucified those who wanted only to help. i fail to see how any amount of embarrassment can be worth removing 3.5 years of someone’s life from them!!
i also fail to see why the DoJ has gone after the guy rather than the company, which is clearly in the wrong, when it is supposed to be ‘the justice dept’! but then, helping important industries seems to be even more important to them than actually following the law!
Re: Re:
so, who actually brought the case for prosecution?
It’s a criminal case, so the government brought the case.
i am assuming it was AT&T?
No, it’s a criminal case, not a civil one.
Re: Re:
Although the prosecution was brought by federal prosecutors within the DOJ, this case was initially investigated by the FBI at the behest of AT&T. I don’t think one can minimize the influence of AT&T in getting the government to pursue this case, although the details of that influence will probably never be known publicly. The case was, and is, such a weak one that never should have been pursued. Recall two people were charged; Andrew Auernheimer (Weev) and Daniel Spitler. Spitler pleaded guilty to the charges and was sentenced to 3 years probation on January 24, 2014. Compare that to 41 months of prison for Weev. This is yet another example of how people are severely punished, particularly in federal court, for fighting the charges against them.
I will provide the following timeline that shows how quickly the FBI got involved.
June 3, 2010 – June 8, 2010: Spitler and Weev collect email address/ICCID pairs.
June 6, 2010: Weev send emails to a handful of top media personnel whose emails were collected. He briefly explains how he came to know their email address and invites them to interview him. Weev explained that this was his way of, indirectly notifying AT&T of the security vulnerability.
June 7, 2010: AT&T is notified of the security breach by a ?business customer? who is not identified by AT&T.
June 8, 2010: AT&T has stated that they fixed this vulnerability, by Tuesday, within hours of being notified of the problem. They did this by disabling or removing the code which pre-populated the log-in page with an email address.
June 9, 2010: Weev contacts Ryan Tate of Gawker gives him the list of email address/ICCID pairings and details about their uncovering of AT&T’s security hole. Gawker publishes and article that very afternoon including a handful of redacted pairings that were for notable people.
June 10, 2010: Gawker is contacted by the FBI and issued a formal preservation of evidence notice.
You can see that the FBI was involved very early on. I can imagine that they were contacted by some executive at AT&T as soon as AT&T had learned of the breach.
This just reaffirms my opinion that the government equates Google to the Internet.
It makes sense if you think about this from their point of view.
Entering a URL into the address bar is hacking. Therefore, they use their Google homepage to search for the sites they want to go to.
Hmmm, it’s as bad as blowing up a nuclear plant? How is it the FBI didn’t stop this guy before he figured it out? Were they too busy trying to catch other terrorists in another sting operation? =P
Odd
You think they would try to make him sound like Snowden’s accomplice as he used a secret NSA method in monitoring and gathering peoples’ information.
If doing some computer stuff of questionable legality= 3.5 years in jail.
And blowing up a nuclear plant= doing some computer stuff of questionable legality.
Then, by the transitive property, blowing up a nuclear plant= 3.5 years in jail.
I sense incoming terrorism directed at nuclear plants, as blowing one up should only be a 3.5 year sentence. *Insert happy NSA armed with justification for spying on completely innocent people*
pics
I’ve been to sites that assign pics numerical identifiers, such that the only difference between some pics’ URLs is a chain of numbers at the end. Quick uploaders have been able to get related pics (say panels of a comic) to be in numerical sequence, which lets me navigate a comic just by changing one number in the URL (that way I can look at the full image, rather than the pic in whatever reduced size their viewer shows it in… for comic panels, some of the words can be down right impossible to read in the smaller size).
From what I remember & the recap, it looks like that’s all this guy did. He noticed a numerical ID, presumably when he logged in, & changed his to something else to see what would happen, & then reported the problem.
HOW ON EARTH IS THAT ILLEGAL IF HE REPORTED IT TO WHO HE WAS SUPPOSED TO? URLs have already been said to be public (they can’t be copyrighted, for instance), so entering one or a chain shouldn’t be a crime. How does finding a few URLs that someone screwed up the security on & pointing that out equate to jail time?
This is exactly how I would have defended myself if it were me, & probably gotten a jury to actually understand what was done. If it’s legal on one site, the identical thing can’t be illegal on the other. If it is, the law is broken.
Re: pics
It’s due to the often invoked, but never mentioned ‘Emperor’s new clothes’ clause in the law, where it’s illegal to make the government and/or a large company look bad by showing how they screwed up, or how they broke/bent the law.
Re: Re: pics
Re: Re: Re: pics
Mussolini would be proud of the US these days, oh boy!
Re: pics
There’s no sane reason for it to be illegal (and there’s a TON of sane reasons it should not be illegal) even if he didn’t report it to the company.
Couldn’t weev sue at this point or at least file for an appeal after all these blunders have been revealed? Or does rights to a lawyer end when corporations stop liking you?
Re: Re:
I suspect that if the prosecution thinks it will lose on facts it would rather lose on the technicality. Losing on the facts would remove the ability to use this logic on their next victim.
Blowing up nuclear power plants
The prosecutor does not understand computers also knows nothing about nuclear reactors. Nuclear reactors, as designed, will not suffer the implied nuclear detonation. One of the worst case scenarios is overpressurization of the steam in the reactor causing the pressure and containment vessels to burst. Not a very easy to do in practice. The net effect would be a dirty conventional bomb. Nasty for those near by and to certain extent downwind, but no mushroom cloud.
Re: Blowing up nuclear power plants
“Nasty for those near by and to certain extent downwind, but no mushroom cloud.”
Chernobyl says “who, me?”
A disaster like that is indeed very difficult to pull off, but to minimize the effect of it like that is misleading. The presence/absence of a mushroom cloud isn’t important. Chernobyl demonstrates that such events can have a very wide effect, not just for those nearby.
Regardless, comparing what weev did to that sort of thing is just plain idiotic.
Re: Re: Blowing up nuclear power plants
The French tried to explain until they were blue in the face back then that a nuclear reactor CANNOT EXPLODE. To their ruin, it ruined a lot of their nuclear industry (the Chernobyl thing).
Think about it, research it. The reactor at Cernobyl just disappeared, ceased to be, after an explosion. Russians (and Ukrainians and Belorussians in general know what’s up on this one).
A lot like Fukushima.
“But that point should have no bearing on whether or not exposing a security hole, by basically entering a URL that AT&T failed to secure, becomes a criminal activity.”
He should have been willfully blind. Wait, that doesn’t work…
Re: Re:
Wrong quote, but point stands.