By Catherine A. Fitzpatrick
Weev (Andrew ) bragged in a videotaped courthouse speech that he was being jailed "for doing arithmetic". That has become the rallying cry of numerous geeks on comments and forums everywhere who are trying to pretend "science" is being punished. Weev -- a notorious troll and miscreant and nasty fellow, although that's not what he is being tried for (and shouldn't be) -- even implied in a long rant where he giggled and exhibited racing and disjointed thoughts like a man on drugs (sounding for all the world like Barrett Brown), that America was doomed to disintegration and failure because it couldn't "innovate" and "fix things" ostensibly because it punished its brightest minds.
I saw the best minds of my generation destroyed by madness, starving hysterical naked, dragging themselves through the negro streets at dawn looking for an angry fix, angelheaded hipsters burning for the ancient heavenly connection to the starry dynamo in the machinery of night
Don't just watch his courthouse speech at TechCrunch, where thoughtful editors cut out the really crazy stuff; watch the uncut version below from Youtube for the full monte.
NOT A HACK, JUST A STROLL IN THE GARDEN
It isn't the first time we've had to suffer through an incoherent speech about how "innovation" involving theft and exposure of privacy isn't really crime, but with this case, we also get a lot of flippant and defiant claims that no wrong-doing at all was committed. We're also told that the Man is preventing us from having batteries with over a 100 years of life on our laptops.
Over and over, the tech media has sought to exonerate Weev's hacking as only exploration and "authorized access" of "public data" and tried to downplay it as a "hack" because technically, servers weren't accessed and passwords weren't coded. TechDirt is typical of all the TechThings ranting against the sentence:
This isn't a malicious "hack." It's barely a "hack" at all. This isn't "breaking in." This is just exploring a totally broken system. To call attention to this, weev collected information on a bunch of famous folks who had iPads and alerted the press. This is what security folks do all the time. And for his troubles in helping AT&T discover and close a pretty bad security hole, he's been sentenced to 41 months in prison plus he has to pay $73,000 to AT&T. One hopes AT&T will use it to hire half a decent security person or something.
But he was properly prosecuted under the law, the CFAA, and that law does not need reform and the precedent cases themselves are now establishing what "unauthorized access is" so it is bogus to claim that this concept is so vague that it must be struck down.
SECOND LIFE LITIGATION: 'I WAS ONLY ACCESSING A PUBLIC OFFERING'
Anyone who followed Bragg v. Linden, a case about a Second Life member who used an exploit to access a URL on the website in a way not intended by the owners of the site to gain server rentals at a substantial discount, knows the kind of snarky, bad-faith arguments somebody caught in the act can make once they try to pretend that the victim lifted her Internet skirts.
Many things in SL over the years strike me as precursors of what was to come because it was a very concentrated form of Internet society and social and technical hacks. Bragg screwed with the URL that he had accidently found would give him unauthorized access to the auction of server space or "land" known as "sims" and he then jimmied that URL to keep giving himself cheaper sims. He ran up a number of flags in his defense -- a) that the company was misrepresenting their offer as "land" that you could "own" when in fact you didn't really own it under the TOS, and it could be confiscated from you at any time "for any reason or no reason" if you violated the TOS and Community Standards; b) that the monkeying with a publicly viewable URL to obtain a public service was "open access" and not a crime as it was "published" and did not require "hacking" to get at it. The case was settled out of court.
Geeks have worked extremely hard over the years to defend the notion that when a site is hacked without a technical "hack" using a crack or without a log-on and password gained illicitly, but just accessed by an unusual or innovative exploit, that isn't a crime and should be described as exploration or innovation -- and even a good deed, as it helps a company find their vulnerabilities.
LAWLESSNESS ON THE ELECTRONIC FRONTIER
This self-serving and corrupt reasoning is quite widespread now, and it's a reasoning that developed as the defense of the phone phreakers in the 1990s defended by the Electronic Frontier Foundation founded by Mitch Kapor; it's a defense that has been used widely to try to exonerate hackers from poking and prodding and looking around and even downloading 4 million files -- as in the case of Aaron Swartz, whose zealous protectors claim did not commit a "hack" or "touch a server" but just used "public access". He didn't merely do that, as he jacked a laptop right into the LAN after being jumped off the server for excessive downlading, and it was more complicated than that but the cover story of the "public access" and the "non-hack" is one that both the tech press and the mainstream media have adopted virtually without analysis or a background glance, as it feeds into the narrative that evil prosecutors are spoiling the creativity of bright kids who shouldn't be jailed.
The reality is more complex and more simple -- it is crime. And you just have to read the indictments and the writings of the hackers of themselves to discover that.
ARRINGTON'S ALIBI: 'IT WAS ACCESSIBLE BY ANYBODY'
It helps to start in 2010, when the tech press first started writing about Weev's hack. Remember that there is nothing that Internet geeks hate more than telcos -- they are their sworn enemies for all kinds of reasons stemming from different concepts of architecture for communications to the realities of business competition (Kapor hoped for -- and predicted -- the extinction of telcos back in the 1990s, and didn't foresee that they would become welded with Apple phones and even Google phones to provide communications - he imagined that "the Internet" (Google, Yahoo, etc.) would run wireless and people would use desktops and laptops for communications and put the old dial-tone black phone providers out of business).
In 2010, Michael Arrington, then editor of TechCrunch, a lawyer and investor in tech start-ups and Silicon Valley Big IT, wrote disparagingly of prosecutors and AT&T and lovingly of Weev -- he even decided to award the hacker a "Crunch" award for public service:
Here’s what happened: Goatse Security discovered a rather stupid vulnerability on the AT&T site that returned a customer email if a valid serial number for the iPAD SIm card was entered. An invalid number returned nothing, a valid number returned a customer email address. Goatse created a script and quickly downloaded 114,000 customer emails. They then turned all that over to Gawker, after, they say, AT&T was notified and the vulnerability was closed. Gawker published some of the data with the emails removed. Says Goatse: “All data was gathered from a public webserver with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration, by any means of the word.”
AT&T is characterizing the incident as “unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service.”
We don’t see much hacking here, and we don’t see anything really malicious. AT&T was effectively publishing the information on the open Internet, and if there’s an FBI investigation, it should be focused on them, not Goatse. The fact is that Goatse was performing a public service by discovering and publishing the vulnerability – they made the Internet slightly safer by doing so. I agree completely with their blog post responding to the AT&T letter.
So with his massive influence and his prestigious prize, Mike Arrington set the tone for the "public access" argument that forms the heart of the "California business model" needed by Google and all start-ups -- unrelenting access to all people's privacy and data, unimpeded access to all websites to share information, and total exoneration for any access and copying for all concerned, so that the free account and ad model for the tech businesses can succeed -- as it did so grandly for Google.
If gadgets and apps and web sites and all kinds of services can't reach in and grab your private data; if customers on free services like Facebook can't be data-scraped and served up as marketing information for marketers; if ads cannot be sold on these web sites and apps, then the California Business Model cannot work: the prosecution of the cases of Aaron Swartz, Matthew Keys, and Andrew Aurenheimer all run starkly against that model because they show that the government can and will regulate the exposure of privacy and the theft of digital property in the interests of the public and the law in ways that put a chill not on free speech, but on the money-making of tech firms. No wonder they're so mad; no wonder they agitate their children in the Internet revolution and even incite their deaths -- the stakes are high.
WEEV NEVER CONTACTED AT&T FIRST ABOUT THE EXPLOIT
Even in the comments of that article, some people spoke up -- perhaps tellingly, a woman who used a nick "tfcgirl" (fearing the nastiness of geeks like Weev) -- saying the analysis was wrong. Arrington either didn't know or wasn't telling that Weev in fact didn't contact AT&T:
In Weev/Aurenheimer's own words, from Elinor Mill's recent CNET interview:
"We did the best we could. But we did want not engage directly with AT&T in case they tried to serve us (an injunction) or something."
They did not notify AT&T beforehand. This was strictly black hat (clumsy) self-aggrandizement/competitive advantage.
The list of emails is extremely valuable. It was not necessary to retain them. It was a breach of a private computer system, a felony fraud, if AT&T wants to pursue it. I point this out not to villify poor Weev but to marvel at his foolishness.
And to marvel at TC's, for eating his story whole. You do know who weev is, don't you? It's worth a Google search.
Another commentator back then, calling himself just "jamesn," said similarly:
After discovering the vulnerability, there was no legitimate reason for using that vulnerability to obtain 114,000 email addresses. Furthermore, there was no reason to turn this illegitimately obtained data over to the press.
Both of these actions were malicious by their very nature. Embarrassing AT&T publicly is a laudable goal, they didn't need to steal my email address in the process.
These voices of conscience by TechCrunch readers were drowned out and ridiculed.
Only of his fellow geeks seemed to take Weev on back then substantively, trying to go through his claims line by line. Nobody else did.
SCHNEIER PUNTS ON SECURITY IMPLICATIONS
The famous Bruce Schneier punted on this massive breech of security, however, simply quoting from another blog and saying, "No one knows yet"-- which is something consultants probably learn to say to their clients to buy time until they can poke around and gather lore. I've always said lore is more important than knowledge in the computer business.
Schneier himself seems to be more concerned to portray the hack as "not all that" in keeping with his puzzling tendency to minimize hacking crime. Perhaps he wishes to downgrade the petty script kiddies' dabblings to enable his own accessing of computers in general to seem like something of a high priesthood with himself as one of the archbishops. The comments on his post are rich with a discussion about the ramifications of IMSI -- a technical issue involved in the hack -- in which you see the lore-versus-knowledge scene play out -- smart geeks do their best to figure out what was involved, but get facts wrong because they haven't properly applied abstract knowledge with awareness of ramifications; other geeks set them straight with their experience-gained insights and then the "lore" trumps the abstraction. "This X, except in the Y setting it does Z".
Schneier links to Ars Technica, a more technically-minded geek publication than TechCrunch, with a different audience of more professional and full-time tech employees than the start-up readers of TechCrunch seem to have, wrote differently back in 2010:
Researchers looking into the security of GSM phone networks are suggesting that the recent breach, which saw tens of thousands of e-mail addresses and ICC-IDs inadvertently disclosed by AT&T, could have far more significant implications than a bit of extra spam: attackers can use the information to learn the names and phone numbers of the leaked users, and can even track their position.
The problem is that ICC-IDs—unique serial numbers that identify each SIM card—can often be converted into IMSIs. While the ICC-ID is nonsecret—it's often found printed on the boxes of cellphone/SIM bundles—the IMSI is somewhat secret. In theory, knowing an ICC-ID shouldn't be enough to determine an IMSI. The phone companies do need to know which IMSI corresponds to which ICC-ID, but this should be done by looking up the values in a big database.
In practice, however, many phone companies simply calculate the IMSI from the ICC-ID. This calculation is often very simple indeed, being little more complex than "combine this hard-coded value with the last nine digits of the ICC-ID." So while the leakage of AT&T's customers' ICC-IDs should be harmless, in practice, it could reveal a secret ID.
What can be done with that secret ID? Quite a lot, it turns out. The IMSI is sent by the phone to the network when first signing on to the network; it's used by the network to figure out which call should be routed where. With someone else's IMSI, an attacker can determine the person's name and phone number, and even track his or her position. It also opens the door to active attacks—creating fake cell towers that a victim's phone will connect to, enabling every call and text message to be eavesdropped.
We're a long way from Arrington's airy dismissal of no wrong-doing, and I don't know if there is enough technical expertise here then martialed to fit in the trap door he gave himself -- "unless wrongdoing was shown".
But the Arrington narrative and the Schneier punt (no naming and shaming from that quarter) and the narrative of legions of script kiddies hacking sites and jailbreaking phones stuck, and the fine print about IMSI's got lost.
Pinatas. Photo by cefuenco.
Fast forward to the trial and the indictment, and see that the narrative and counterfactuals are again being rehearsed.
TechCrunch -- not surprisingly, even bought by AOL, even with Arrington gone -- makes the claim that it was just access of open data, and Weev's sentencing is in fact a kind of grand indictment of backward and failing American society that won't appreciate its clever innovators.
CELEBRITY EARLY ADAPTERS HIT
Motherboard gave a somewhat more accurate description of the story while still remaining sympathetic to Weev:
The hack for which Auernheimer and Daniel Spitler, 26, of San Francisco, California, were charged exploited a simple vulnerability in AT&T’s system: when the iPad was released in April 2010, Spitler discovered that a certain AT&T site would leak e-mail addresses to anyone who provided it with a ICC-ID, a number that was unique to each iPad, and to each email address connected to that iPad. He found the ICC-ID number format by examining photos of the iPad posted by gadget enthusiasts to Flickr and elsewhere (the number is also available under “Settings” on an iPad). Using a script called the “iPad 3G Account Slurper,” he mimicked iPads connecting to the web site, and, after a days-long run, ended with a massive haul of over 100,000 iPad users’ e-mail addresses.
Among their cache were an impressive list of early adopters: email addresses for Mayor Michael Bloomberg, Rahm Emanuel, Diane Sawyer of ABC News, and Col. William Eldredge, commander of the 28th Operations Group at Ellsworth Air Force Base in South Dakota, along with addresses belonging to folks at NASA, the Justice Department, the Defense Department, and the Department of Homeland Security.
Only sites that were more oriented to security professionals would tell AT&T's side of the story:
But AT&T saw it much differently. In a letter to Apple 3G iPad owners, Dorothy Attwood, a senior vice president and chief privacy officer at AT&T, said:
"On June 7 we learned that unauthorized computer 'hackers' maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service. The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses. They then put together a list of these emails and distributed it for their own publicity."
ICC-ID is the Integrated Circuit Card Identifier of the user's iPad, which was a 19 to 20 digit number unique to every iPad (specifically, unique to the Subscriber Identity Module ("SIM") card in the iPad).
"Due to this feature, each time a user accessed the AT&T website, the user's ICC-ID was recognized and, in turn, the user's e-mail address was automatically displayed. This allowed the user speedier and more user-friendly access to the network."
"The ICC-IDs and iPad user e-mail addresses were not available to the public and were kept confidential by AT&T
'I'M NOT LIKE THOSE /B/TARDS AND IT'S ALL AT&T'S FAULT ANYWAY'
But the 4chan set and script kiddie audiences on the popular Internet sites like OhInternet supported the radical narrative exonerating Weev, even while they made a distinction that those even more extreme -- and in jail -- could be committing crimes:
What are weev’s thoughts on the recent anti-sec and lulzsec movements within anonymous?
Does he have an opinion on the recent arrests that are happening?
These anonymous splinter groups are breaking into computer systems and stealing information, then publishing people’s personal data far and wide, harming individuals and organizations with their criminal actions.
Andrew’s group did not intrude into anyone’s computer systems. AT&T published their subscribers’ email addresses on the web with no authentication or protection in place. Nothing was stolen, only downloaded from the public web – just like what Google does every day. They notified the media of AT&T’s negligence and did not divulge the email addresses publicly, knowing that they should not be in the wrong hands.
This is the key difference between malicious criminals and a whistleblower trying to protect the public.
A whistleblower trying to protect the public?! Google bangs everybody's sites like a pinata day after day until they wack out its candies? Really, guys?
As we know, the New Jersey prosecutor in Weev's case -- and then the judge and jury -- found that Andrew had made a "concoction" to get himself off. In fact, he never contacted AT&T as he claimed in some settings to alert them, and in fact, while he didn't make good on his threats of further damage, he did knowingly and cunningly go after the largest data haul he could to make a grand "propaganda of the deed" for the hacking sub-culture's revolution.
WEEV HOLDS AT&T RATHER THAN HIMSELF ACCOUNTABLE
Weev developed his counter-narrative of "good Samaratin" and "whistleblower" with the help of an adoring tech press. Motherboard bought it, before his arrest in a sympathetic piece:
In an e-mail he wrote to the U.S. attorney’s office in New Jersey last year, Auernheimer blamed AT&T for exposing customer data. “AT&T needs to be held accountable for their insecure infrastructure as a public utility and we must defend the rights of consumers, over the rights of shareholders."
“The ‘flaw’ in AT&T’s system was they put material on a public web server with no password, where there is an implicit license to access it,” he told me. “They put it on the library bookshelf. There was no unauthorized access, this material was available to anyone willing to type in a URL in an address bar. There was no ‘exploitation.’” He added, “I could have taken that list and made a shitton of money off of it, or had a botnet of a couple hundred thousand iPads. Instead I did the right thing. Like everyone that does the right thing in America, I was punished for it.”
DO I DARE TO EAT A PEACH?
Motherboard lovingly reiterated their darling hacker's far-fetched reasoning in the service of the revolutionary cause:
It’s illegal to “access a computer without authorization or exceed authorized access” on any “protected computer” which includes one that is “used in interstate or foreign commerce or communication.” That would mean, as Auernheimer told the press yesterday, that “the ‘protected computer’ is any network computer. You access a protected computer every day.” He asked a rhetorical question: “Have you ever received permission from Google to go to Google?” (The act has often been criticized for its vagueness.)
Okay, let's stop right there. When I access Google with their own browser Chrome or Firefox, I go to their big white page in the sky with the slit box on it and their encroaching content and gadgets businesses starting to seep in below, and then the social network data-scraping and services-linker G+ often at the top if I'm logged in, and I type in a word like "Karakum" and Google fetches the term from all the sites it can, ranking them with its secret algorithms.
Hey, in that results batch, I don't see Mayor Bloomfield's email, or a table of 120,000 emails of wealthy people who were early adapters of ipads, because Google web crawling does not access websites like that that are public.
GOOGLE'S BIG -- BUT NOT THAT BIG -- GULP
Google doesn't slurp like Weev slurps. It might like to -- it did with the wifi of its Google Street View, for example. But it doesn't on the typical web crawl of sites grab tables of customer information from corporate sites and spit them into search. Not only is it stopped by robots.txt; it's stopped because it is not wacking at the sites like a kid at a birthday party wacking a pinata; it is also not trying to come up with clever hacks and algorithms and scripts to slurp.
Those are all the elements of crime in this story which isn't about open access, and isn't about only math, but is about brute force (Orin Kerr, take note).
So let's go to the indictment, which is the state's listing of evidence it has found to make criminal charges, which served the basis for the sentence of 3.4 years:
It's good, in a noise storm of hackers saying that AT&T had "open access" to a "public document" to see what was actually found:
Prior to mid-June 2010, when an iPad 3G communicated with AT&T's website, its ICC-ID was automatically displayed in the Universal Resource Locator, or "URL," of the AT&T website in plaint text. Seeing this, and discovering that each ICC-ID was connected to an iPad 3G user email address, defendant AUERNHEIMER and Spitler conspired to write, and did write, a script terms the "iPad 3G Account Slurper" (the "Account Slurper") and deployed it against AT&T's servers.
a. The Account Slurper was designed to mimic the behaviour of an iPad 3G so that AT*T's servers were fooled into believing that they were communicating with an actual iPad 3G and wrongly granted the Account Slurper access to AT&T's servers
b. Once eployed, the Account Slurper utilized a process known as a "brute force" attack - an iterative process used to obtain information from a computer system -- against AT*T's servers. Specifically, the Account Slurper randomly guessed ranges of ICC-IDS. An inccorect guess was met with no additional information, while a correct guess was rewarded with an ICC-ID/email pairing for a specific identifiable iPad 3G user
So it's not like typing a URL and coming to an address; it's not like typing one number and getting your own email hooked to your own gadget on registration; it's banging and banging and banging on the pinata and trying to make it crack. It isn't cracking of a password; it's brute force of barraging the site with numerous random numbers to get hits, based on the logic of how these machine applictions work.
It's important to see how this hack developed, too -- it hit a snag -- much like the snag Aaron Swartz hit when he got turfed off the MIT servers the first few times he tried to use his "keepgrabbing2.py" script on JSTOR.
Spitler, Weev's partner in crime, comes on the IRC channel where the hackers chat and boasts that he harvested 197 email addressed and thought there should be many more.
HARVESTING OVERKILL IN A HACK
"I wrote a script to generate valid iccids and it loads the site and pulls an email," he crowed. Then he said he was "in a rut". He couldn't get more. This is why it isn't "public access" and "open data" -- it takes contorted thought, persistence, knowledge of how machines work, and conspiracy with another to figure out how to slurp more. These are all factors in the crime. Each element alone may be "nothing"; yet taken together they make up the unauthorized access. Although I'm not a lawyer and I'm sure there are many nuances here I don't know about, I do think Orin Kerr has to justify to the public why the nexus of the elements of crime that might seem like "overbroad authorized access" in fact are unauthorized access when taken together.
Weev then said that given that SIMs are allocated by geographic region, that means AT&T had probably suballocated free IDs to Apple "hopefully not at random...otherwise we have a real big space to search".
So Weev then tells his partner in crime to mass as many ICC-ID/e-mail pairings as he can get, "if we can get a big dataset we could direct market ipad accessories". Spitler then said he had 625; and Weev said it would take millions to make spam profitable.
As the conscientious person pointed out long ago at TechCrunch, if you were really only probing an exploit; if you were really only doing white hat hacking work to warn the company, why the 120,000? The 197 or the 625 would have made the point. A commenter named Algo explains further what was involved in grabbing the IMEIs.
Then Spitler came back and said "I hit fucking oil" -- because he got it working to produce the 120,00.
WEEV CALLS HIS OWN ACTION 'THEFT'
The indictment goes on to say, "In or around June 2010, defendent AUERNHEIMER sent a series of e-mails to victims that included the ICC-IDs of the victims' iPads, and described his and his co-conspirators' actions as a 'theft'".
So while for the marks in the tech audience, Auernheimer claims he didn't steal anything and it was all public documents and open access, and while he was able to convince the tech press shills that they should simply reiterate this deception swallowed hole, for the victims, as he relished his "life-ruining capacity," he had another word to describe his actions: theft.
The reality is that the criminalization of the brightest minds has set us up for vulnerability to hostile hackers at home and abroad and made everything in modern life increasingly dependent on the Internet more vulnerable. Back when this was being formed in the 1990s, those who pioneered and designed the tech like Mitch Kapor and enriched themselves with it were all too ready to move the slider on criminality and the competition to their business posed by the telecommunications companies, and exonerate phone hackers. They moved on through another decade and a half to exonerate copyright thieves, destroying the content businesses, in order to create the thriving "California business model". So here we all are.
But young Weev is right where he needs to be, and not in his shack in the Ozarks, because what he did is theft and exploitation of a corporate site with private data -- and these things need to be protected by law in a democratic liberal society under the rule of law with free enterprise. Weev thinks that evil corporate overlords or privacy-busting feds bent on killing innovation are preventing the engineers of America from making a laptop batter that lasts hundreds of years (yes, he says that in his courthouse-steps speech).
I don't think so. I think he's a common thug, and I've illustrated it here with carefully stepping through the hack itself. Orin Kerr will tarnish the name of academia and the bar if he converts the brute force of this hack, and the damages done to this corporation and its customers -- and us all -- into "open access".
The exoneration of Weev might serve Mike Arrington and his investments and the investments of any number of VCs and start-ups and Big IT and varnish the reputations and massage the egos of the hacker collectives subsidized by academia and gov 2.0 programs. But it creates a world in which our private lives are endangered and corporations that provide goods and services and jobs are harmed.
It's curious, when you watch this crazyiness above, to go back to the man in 2010 simulating some kind of business executive in an infosec firm -- for all the world like a Second Life roleplayer. Far from saying that the public access of public information is nothing, he paints a lurid picture of its harm:
Could the ID numbers be used to conduct a targeted attack on the device or take control of it? Are all iPad users are affected?
Auernheimer: Theoretically it's possible. I think the worst case scenario is someone would send a Safari exploit to those e-mails and someone would click the links on their iPad...My worst case scenario is someone would have scraped this list, gone to the RBN (Russian Business Network underground market) to buy a Safari exploit, and used it to compromise American government officials and corporate officers. That would be bad. So it was in people's best interest. At least they know. At least there's a public knowledge you might be compromised. You might want to change your e-mail address associated with the iPad. The public can take steps now to protect themselves, which they would have been oblivious to before. I think that's pretty important.
You know, so did the People of the United States. They're prosecuting the cynical asshole who did this hack deliberately, cunning, methodically, as a conspiracy on a large scale, and didn't warn AT&T privately because he thought he would be indicted. That's because he didn't just find out about an existence of a vulnerability, he tested and hacked at it and proved it on a massive scale in a cynical fashion with others in a context where it really could lead to harm.