Andrew Auernheimer or Weev in July 2012. Photo by pinguino.
Wait a minute.
Not a single one of the tech tweeters and the TechThings could report this, that the prosecutor -- and the jury! -- simply never bought the trollish line of Weev?
"When it became clear that he was in trouble, he concocted the fiction that he was trying to make the Internet more secure, and that all he did was walk in through an unlocked door," U.S. Attorney Paul Fishman said in a statement. "The jury didn't buy it, and neither did the court in imposing sentence."
"He concocted the fiction." This is my favourite quote of the year so far -- after "the Boomerang never returns to the hand. This one does" -- and helps mitigate the sheer deluge of lies coming out of the tech lapdog press and its obedient RCA Victrola dog (lots of dogs here!), the mainstream media tech departments.
This was clear to me from day one about this hacker, nick-named Weev whose real name is Andrew Auernheimer -- and I'm glad it was clear to the jury or I'd really have to worry about our country.
We need more and more of these jury trials -- hey, drop the plea bargains, big fellas. We need jury trials. This is how we can burn it in. You concocted a fiction.
Yet Orin Kerr, the former DOJ prosecutor and libertarian who writes on The Volokh Conspiracy, will defend him. Presumambly not on the grounds that he "just did a math problem" or "engaged in free speech" but on some argumentation hinging on the "unauthorized" concept -- trying to limit it so that it doesn't mean, er, "probes" or "explorations" like this.
Sure, everyone needs a lawyer, and on appeal especially. But this is then a political gambit which Kerr uses as an activist to reform the CFAA. I don't see it needs reforming. The hacksters are edge-casing and concocting fiction. The idea that "he didn't access a server" (the favourite gambit of Shava Nerad as well re: Schwartz); or that he merely engaged in free speech aern't going to fly.
This argumentation is exactly like Bragg v. Linden. Bragg pretended the "offer was published" for cheaper-than-normal sims on the secondlife.com website merely because he was able to force up a back page he discovered accidently in the auction process. He found he could get a hot sim and re-sell it. But it was an exploit. The makers of the site didn't intend for their product to be accessed for free or at a deep discount by jimmying the URL. Just like AT&T didn't think its customers with ipads should provide their personal emails to the public. URL scams like that may not be technically "hacking," but claiming they are merely proper access in an, um, innovative way is just plain thuggish agitprop.
Baloney. Hopefully for reason and sanity, the appeal will fail.
First I got into a Twitfight about these cases with The Verge's Tim Carmody, whom I have watched for weeks on end spouting the usual hacker open source gabble. Then I was surprised that he answered me. He conceded that his gadget-selling publication's take on the other big verdict of the day -- the RIAA suit against the lady "who took 24 songs" was really about her contempt of court. I then took him to task for his Swartz story. He disagreed. I specifically asked him why he didn't report things like the judge's order to Swartz at his bail bond hearing to seek mental health because he needed it. He overlooked this tweet, ignored it later when asked, then said that The New Yorker story was good. Mkay. But his piece was sickly-sweet and never asked any questions.
I raised Matthew Keys' case -- and now Tim just felt there were "too many things" I was raising, and it was just awful to combine them all. Um, I pointed out that things move fast on the Internet, and the CFAA was what they all had in common! I tried to explain that Swartz, Weev, Kews, his take -- this is all part of selling Google ads, really.
But obviously, that needs unpacking. And I'm happy to unpack it. Hackers want to liberate information so that people share it more. When they share it more, they click on more ads. Google gets more revenue. The end. Now, that wasn't so wild and wacky was it?
He couldn't take the heat, and blocked me and denounced me as a troll. Yes, I totally get it when strangers come up to you on Twitter and give you full-blown tweet-length argumentations from a coherent world view that isn't your own, it feels like a conspiracy, a troll, stupidity. By why those instant labels, blocks, nerves? When I get someone who tells me that everything is all a plot by Big Sis (Janet Napolitano and Homeland Security) and I should buy gold, I ignore them. If they say something specific to me, I answer it. If I get someone less weird who says, "But you said X but it's Y," I answer it. Or not. I don't feel that need to block them unless they are spamming me with porn or violent threats. Why this fear of free speech by these denizens of Internet freedom? Why are they so fake?
I was surprised that someone thanked me for my comment, said it was good, and said there was more of this bad sort of faith at Wired's Threat Level. I haven't had a chance to study that but of course Quinn Norton is there, Swartz's ex partner.
Well, I don't see a thing wrong with 3.4 years for this hack of people's private addresses, bragging about it, victory-dancing with it, and claiming it was just exploration of a security whole. It's fiction.
The lawyer, Tor Ekeland, said his client would appeal. He said the Computer Fraud and Abuse Act doesn't clearly define what constitutes unauthorized access.
"If this is criminal, then tens of thousands of Americans are committing computer crimes every other day," Ekeland said in an interview. "There really was no harm."
But it does not mean that because tens of thousands of people don't peer at Flickr screenshots of gadgets, triangulate it with their own gadget's numbers, think about how spoofing and access to servers work; write up a big old grabby script to grab stuff fast, then operate it at top speed to grab. Very, very few people do that. Hello.
As for "unauthorized," even if it's 1984 and there's no Internet to speak of when the law was written, it doesn't matter. Because It's self-explanatory. It's access by unauthorized persons. That means people who do not have log-in credentials and who spoof them or crack them or take advantage of a loophole to enter and use the system as it was not intended. If the CFAA is to be redrafted, it has to be written around preciously Weev's snotty assholery here to criminalize that exact sort of snide jimmying and pretending it's okay. Again, it was not a walk-in -- a walk-in is giong to att.net and clicking. It was:
o seeing a screenshot of the necessary number to access the emails on Flickr
o and seeing that number on the device itself and/or using those two data points to figure out the range and pattern of numbers
o using them to poke into the system to retrieve 130,000 emails that were not supposed to come to you as an individual user
o writing a grab script
o testing and running it
o getting the hot loot of 100,000 people's addresses, quite a few of them famous
o bragging about this to the press and let the press (Gawker) publish it, even if redacted
None of that is clicking on att.net.
I don't think 3.4 years is too much for this, because it's deliberate. It's not accidental. It's cunning and insincere. It's on purpose, with a cherry on top. Deterrence is important. Orin Kerr himself has written often of the importance of deterrence in prosecution. Now he's undoing that for the sake of his own fetish about "unauthorized" that he wants to test on this creep.
It's not a Boy Scout good deed to hack people so they "know about their security breaches" either. There isn't a law that would punish AT&T for not securing email lists when they had devised a system in which this was not supposed to happen. You can't be punished for not thinking cunningly like a hacker and contorting yourself and triangulating data to perform an exploit like this.