I get it, but the flip side is that if Auernheimer is brought into the same discussion, do we not risk alienating a public likely very sympathetic to Swartz's plight?
In other words, if it's possible that legal reform designed to prevent cases like Aaron's from occuring again, could also let bad actors like Auernheimer off the hook, that could undermine support for the reform.
As far as whether Auernheimer is a felon, I still don't know. It's one thing to find a vulnerability, it's another thing entirely to not only not report it, but exploit it and openly discuss how to use the results to cause significant material harm.
Reported actions of Auernheimer in the AT&T case:
- Did not report the vulnerability but sat on it and refined a script to exploit the data and debated how and who in the press to report the vulnerability to in order to inflict the most economic damage.
- Harvested over 114k emails.
Alleged quotes of Auernheimer:
- "I don't see the point unless we phish for passes even then that's boring"
- "[A]t this point we won. we dropepd [sic] the stock price," Auernheimer wrote. "[L]et's not like do anything else we fking win and i get to like spin us as a legitimate security organization."
Very, very hard to be sympathetic here. He exploited a vulnerability, stole information and discussed at length how to use it to inflict damage. Weigh into that his past malicious behavior, and I wonder if he's not getting off easy.
From what I've heard Weev is an Ass and Aaron was a superhero. You don't need to compare them however to see similarities in how they were treated and the problems with the US "Justice" system.
Prosecutorial bullying and overreach is bad whoever it is done to (even if they are an Ass/Hitler).
Do you want 10 years to be the normal sentence (or even the prosecutors threat) for crawling URLs and reporting the privacy breaching results to the news media?
In my view some of the behaviour in the story that you linked to is MORE criminal than the actions against AT&T. If evidence can be found for that I would be fully in favour of that prosecution but the he's done all these horrible things that we can't prove so lets trump up a minor issue we can prove concept doesn't feel like a secure route to freedom and justice for anybody. If the linked information could all be proved in court to be Weev I would be happy for him to get 1-2 years in prison for harassment or longer if it is a pattern of behaviour against other people too but for the AT&T "hack" anything over a month or two would seem excessive to me.
"Do you want 10 years to be the normal sentence (or even the prosecutors threat) for crawling URLs and reporting the privacy breaching results to the news media?"
This is such a sanitized version. I'm open to being corrected here, but afaik the 'crawling' in question was done by a script written and refined for the expressed purpose of harvesting data, with intent to cause material economic harm to AT&T, which they did. They sat on the vulnerability for days while discussing at length how to perform the 'report' in such a way as to cause the most negative effect.
They knew full well what they were doing was illegal and were afraid of being caught and discussed it.
Let's state it again in a less-sanitized fashion: They found a vulnerability, did not report it, exploited the vulnerability and stole data with the stated intent to cause material harm and/or sell said data, and actually brought about said economic harm.
People defending weev are making it sound like some guy tweaked a value in his browser url bar, ran to AT&T and said 'look what I found', and had his home promptly raided. Hence the ridiculous top comment on slashdot, "America has lost its fucking mind."
Let us not, as the hacker community, lose ours over this. What weev did was malicious and illegal and harmful and if we appear to defend him I'm afraid we undermine the cause of Aaron's case and the possibility of curtailing real prosecutorial aggresion. I really don't think it was the case at all with weev.
I said crawling URLs not tweaking address bars (implying scripted mass process). The other point is that the sentence in this case whether reasonable for other reasons or not will be a reference point for future prosecutions against less unlikeable people.
Legally in the US there seems to be very little protection for privacy (unlike copyright) whereas in the UK Sony has just been fined £250K for failing to adequately secure personal data (PSN hack).
Should this person have collected more than 100K email addresses? - NO.
Should they have blown the whistle or reported it straight away? - YES
Were they criminal? Probably just about.
Does what they joked about matter? No unless they actually tried to do it.
Does the fact that they wanted to harm AT&T matter? Not much for me, AT&T harmed themselves and while discoverers of the flaw could mitigate AT&T's harm and these guys chose not to for me that doesn't turn it into a crime although possible does suggest additional sentencing is appropriate.
Is 10 years an appropriate sentence for accessing information that legally had less legal protection than copyright works? Definitely not in my view.
It's 10 years max, and no that doesn't seem disproportionate to me at all, given that you have stated malicious intent and actual material harm. I can think of white-collar crimes that have similar effect (dumping stock, insider info) that carry bigger max sentences.
I also completely disagree that AT&T 'harmed themselves'. This to me is grey-hat rationalizing/hand-washing. "It's not my fault that your security sucks. I just, you know, exploited it, harvested hundreds of thousands of emails, highlighted the most important executive and government official emails and released them in as public a manner as possible, potentially causing hundreds of thousands or even millions of dollars worth of economic damage and loss of reputation."
Sorry, to me a max 10 years is light, compared to the kinds of white-collar sentences we've seen for stuff like insider trading. They stole the data. They sat on it. They tried to release it in such a way as to cause harm, and the potential dollar-value risk for AT&T and all their employees was huge. Think of the massive hit RSA took when their data was stolen. It doesn't matter how "easy" the hack was: what matters is intent, action and effect. All three, to me, are clear-cut here. I don't see how weev could expect any different outcome.
In other words, if it's possible that legal reform designed to prevent cases like Aaron's from occuring again, could also let bad actors like Auernheimer off the hook, that could undermine support for the reform.
As far as whether Auernheimer is a felon, I still don't know. It's one thing to find a vulnerability, it's another thing entirely to not only not report it, but exploit it and openly discuss how to use the results to cause significant material harm.
Reported actions of Auernheimer in the AT&T case:
- Did not report the vulnerability but sat on it and refined a script to exploit the data and debated how and who in the press to report the vulnerability to in order to inflict the most economic damage.
- Harvested over 114k emails.
Alleged quotes of Auernheimer:
- "I don't see the point unless we phish for passes even then that's boring"
- "[A]t this point we won. we dropepd [sic] the stock price," Auernheimer wrote. "[L]et's not like do anything else we fking win and i get to like spin us as a legitimate security organization."
Very, very hard to be sympathetic here. He exploited a vulnerability, stole information and discussed at length how to use it to inflict damage. Weigh into that his past malicious behavior, and I wonder if he's not getting off easy.