I couldn't be more delighted with this amazing document from the US Court of Appeals for the Third Circuit.
US Attorney Paul J. Fishman and Assistant US Attorney Glenn J. Moramarco issue a lengthy but crystal-clear rebuttal to all the bad-faithed word-salad that Weev's hacker lawyers have dished up in the case against him for hacking AT&T -- word-salad regrettably abetted by Prof. Orin Kerr who I hope will emerged from this experience chastened about the limits of technolibertarianism/technocommunism on reality.
I live in hope.
This document really is a delight -- do glance through it.
With sterling logic and simple legal rebuttals, the two prosecutors walk us through one by one all the gambits and alibis and just outright lies that Weev has dished up on this affair -- gambits so typical of the whiny prevarications and manipulative dissembling that we all know only to well from any hacker apologia.
Look, here's the bottom line: neither Weev or his accomplice Spitler were owners of the devices whose serial numbers they manipulated to gain access to a list of user emails that were also not theirs. That's it! Private property! And that's what a normal court will find in a democratic society under the rule of law that doesn't suppress capitalism. There's not going to be a socialist or a libertarian outcome here.
Aside from the social system issues, this case is extremely important for establishing the rule of law over the unruly Internet's code-as-law, where a determined band of thugs insist on imposing their virtuality on the reality of the rest of us.
They think if they can just keep nastily shouting the same thing over and over again -- as Mike Masnick does on TechDirt with this case -- they will prevail. The twisted logic he and his fanboyz deploy on this -- claiming prosecutors "broke rules we made up" is really something to marvel at as well. Of course Weev didn't "break rules they made up" -- he broke the eminently reasonable and normal law of the meat-world, which pretty much ought to be allowed to trump every time the code-as-law coercion that geeks cook up to take power.
Basically, these claims that this case either doesn't fall under the CFAA (or, worse, that the CFAA needs "fixing" so this kind of case can never fall under it), come from a place of deep cynicism and nihilism that rejects every bit of common sense not to mention principle of torts law that we have in the organic world.
Every thing in this case as the prosecutors emphatically and amply note indicates cynical bad faith -- i.e. cunning lying and duplicity -- when Weev and Spitler claim that they made authorized contact with the AT&T server and lawfully downloaded everybody's email who had bought these ipads.
Of course they didn't because neither the website nor the iPads are theirs, they have no business monkeying with them whatsoever, and whatever flaws are in the system aren't somehow "rightfully" theirs to exploit. They didn't just "stumble on" this flaw and alert AT&T; Spitler's discovery is itself predicated on a desire to hack around the need to buy the device to get a cheap data plan, and his further "experimentations" are just more mayhem.
They didn't contact AT&T to alert them to the flaw, but instead tried to exploit them further and brag to the press.
Like Aaron Swartz kind of gave away his hand when he devised a script called "keepgrabbing.py" to ransack 1.7 million JSTOR files that were also improperly accessed and stolen via MIT, so Weev and Spitler exposed their hand with their script which was called "iPad 3G Account Slurper." Right.
Like that's "doing math in the browser" as the fanboyz claim these two were indulging in innocently.
"It is Not a Bar to Prosecution under the CFAA that the Victime Employed Bad Security," warn the prosecutors -- like it isn't a bar to prosecution of rape just because the victim had a short skirt.
The prosecutors even ferret out an instance where Weev himself uses the term "theft" to describe what he did, even though legions of fanboyz on TechDirt are pretending it's just normal access of available items.
Of course it's like using another person's password when you grab the serial number of the device they bought and only they should have in theory (and normal practice). Just because you did "math in the browser" -- snort -- doesn't mean it's now "yours" and you can slurp it, get the personal data with it, and do whatever.
Honestly, this is basic stuff and as I said, I hope Orin Kerr, who is participationg in an amicus brief to defend Weev as part of his anti-CFAA cause, is chastened. I hate it when decent people don't seem to be with the code cave and the crypto borg get corrupted by this twisted thinking.
In the comments on TechDirt, one nerd-ball gives a hugely detailed description of how the ICC-IDs work on the thingies. And you learn that millions -- billions -- of numbers can separate the blocks. And that of course then they had to use brute force, repetition, cunning, reassment and more cunning, etc. It's not "open" when you have to do that. It's not "like opening a door," and therefore "not breaking and entering" blah blah. Please.
Along the way to handily overturning the legal arguments one by one, there's some hilarious stuff, like this:
Appellant Andrew Auernheimer was in charge of Goatse Security, which sometimes purports to be a security research company. It is not, to put it mildly, a traditional security research company. The firm's name is a reference to a notoriously obscene internet shock site. On its own website, Goatse Security claims it is "a wholly owned subsidiary of the GNAA," with a hyperlink to the "Gay Niggers Association of America." [...] Goatse Security's corporate motto is "gaping holes exposed."
There's even a footnote for 'a more graphic description" of goatse, which everyone knows also doubles as a depiction of Weev's personality.
The "corporate" website lists weev's ability to "bash while drunk" and "program in perl while tripping". Lovely.
The business interests and goals of Goatse Security were explained by Auernheimer in an email, explains the brief.
At Goatse Security, we don't really care about fighting cyberterrorism or cyber crime or whatever. We are pioneering new classes of exploits, new methods of evading IDS and new ways to use computers as tools to make shit happen. our minds won't be owned by some liar's system of ethics, but they are for rent to any God or government (or corporation or criminal organizations) that will write a check of sufficient size.
Not surprisingly, the prosecutors concludes:
In reality, Goatse was not a legitimate business, but instead was a group of hackers, led by Auernheimer, who would discuss computer security flaws in a private internet chat room and help each other with their exploits.
Sounds a lot like Brown's "journalism," you know?
There's a lot here that is never, ever covered in the sycophantic tech press that always backs hackers (it's the Google business model) -- like Spitler's motive for this caper in the first place, which was to trick AT&T into giving him a $30 data plan even though he didn't have the device that matched that plan.
Extremely crucial to this case -- that little factlet -- and yet not a single tech publication covered it. Shame on them.
While it's long and winding, the prosecutors basically explain that these two douches impersonated normal users to grab stuff -- and that's exactly the case. So their word-salading that this is just normal interaction with a public-facing server "designed" to do this just doesn't convince. The prosecutors of course have a rich trove of precedent in our common law system like the case of the guy that tried to scrape an auction site to underbid it. Hey, we saw that in Second Life.
So Mike Masnick be damned, he and his hellions will not get anywhere with this.
Prosecutors shouldn't have to explain basics like the fact that if you leave your bike unlocked, or your door open, if your bike is stolen or your house robbed, it's still a crime. It's not you being to blame for the exercise of a thief's First Amendment, you know?
I'm glad the prosecutors also reject that idea that you can't improperly access a computer "without violating a code-based restriction or without using someone else's password."
Of course the legions of hackers want desperately for the law to be undermined and perverted and ultimately trounced in favour of code-as-law. If they can make it so that CFAA only means overcoming hard-coded lock-outs and not exploits using cunning methods, or social hacks, or exploitations of situations people didn't realize, then they can let themselves off the hook for numerous crimes particularly of copyrighted items theft -- which yes, is theft.
"When Jack goes to a computer and enters Jane's password, the computer responds exactly as it was programmed to do. It gives Jack access to Jane's information, but that is still unauthorized access," says the prosecutors.
Hackers would like to overturn that notion and always bless Jack. And here, Spitler is far worse than Jack, because's written a script with "carefluly designed URLs, to 'spoof' the iPads of actual iPad owners, such that AT&T's esrvers were fooled into treating Spitler's accesses as though they were accesses by the true owners of the spoofed iPads."
And that really is the size of it. If Orin can pull "authorized access" out of such a bad-faith situation, where Weev and Spitler think it's okay to fool servers or that the very concept of fooling a machine cannot even exist, then we really have to worry about the future of our freedom. The prosecutors pointed out that picked locks also respond mechanically as "they are supposed to" when thieves pick them. That doesn't make it lawful.
I'm really glad the prosecutors speak to the sheer criminality of trying to pretending hacking is good and hacking is never using coercion and stealth and is never wrong if it accesses a computer in ways the owner does not want him too. The point out that if the definition the filers of the amicus briefs want would prevail , that would decriminalize Albert Golzalez, the mastermillion of a credit card theft involving 170 million cards and ATM numbers who got 20 years in jail.
These prosecutors also adopt a no-nonsense approach to the outrageous claim that such cases as Weev's "put a chill" on the Internet surfing of everyone else. "Hardly," they say drily. Because the law addreses INTENT. The intent of someone casually surfing who stumbles on an exploit isn't the same as a cynic who writes scripts named "Slurping" that try millions of times to hack something.
The prosecutors also dismiss the idea that white hat hackers are harmed by criminalizing Weev's actions -- nonsense, because -- intent again. They aren't writing scripts to frustrate a system and embarass Apple out of perverted hatred, they're just testing a system to secure it against attacks.
Here, pure gold:
Although Auernheimer tried to present an image of himself to the jury as a "white hat" hacker who was motivated primarily by a desire to inform the public of AT&T's security breach, rather than a desire for personal gain, the guilty verdict demonstrates that the jury rejected thees claims, and it is not difficult to see why. All of Auernheimer's statements at the time of the crime refuted his self-serving trial testimony. For example, Auernheimer did not follow the "white hat" rule, or even the "gray hate" rule, of disclosing the security violation to the affected compay. Indeed, he was "laughing out loud" about his transgressions in the Goatse Security chat room:
lollllll white hats are angry cause i violated their precious disclosure rules by going to a dotcom gossip rag.
The chats clearly demonstrate that, rather than concern about the privacy of others, Auernheimer was motivated by a desire for personal gain.
A word on the user agent. This is a subject of much, much contrived conniptions by the geek set particularly at TechDirt but ultimately, again, it comes down to this: intent. Oh, and whether it really is the huge common thing they claim such as to be "normal".
In a foot note, the prosecutors explain simply that it's not.
The Government is skeptical about Auernheimer's claim that changing user agent is "very common," but that is not an issue this Court needs to decide. The Government suspects that only a small percantage of internet users even know what a "user agent" is, or have ever purposefully changed a user agent. A defense witness, R. David Hulsey, testified that spoofing an iPad requires technical sophistication. What is commonly done by computer professionals and hackers is not commonly done by internet users in general.
It doesn't matter if certain versions of the Firefox browser, for example, change user agents under certain conditions -- these examples cited are from the realm of code not being used as obnoxious force but simply doing its job for a narrow purpose. The prosecutors point out that Spitler "impersonated authorized users by submitting their unique ICC-IDs to gain access to the AT&T server." Exactly. He is not those 114,000 different unique users, each of whom paid for the iPad. Insteda, he's a punk who jimmied the loose lock to get them.
Best of all, they cite Orin Kerr in favour of their arguments from a 2003 article, that correctly guessing a password is still "under false identification" and "is a type of code-based unauthorized access.) They also cite Kerr's pronouncement on Volokh that Aaron Swartz's access via MIT of JSTOR's archives was unauthorized. None of that "taking too many books out of the library" stuff in that case for Orin in his old days. This was brilliant work by these two prosecutors to undercut Orin's more goofy justifications for Weev today.
It's disturbing how many nerds are prepared to throw over the rule of law and have any argument and criminal code article used to jail Weev because he's nasty and has ruined people's lives outside of the AT&T case -- like his persecution of the blogger Kathy Sierra.
It's true that Weev is a vicious, narcissistic psychopath with no empathy for his victims, the sort that breeds easily on the endlessly self-reflecting and amplifying Internet.
But you don't have to reach outside the law to prosecute the malicious Weev because the prosecutors' arguments in this brief are absolutely sound and are an excellent pushback to the years of bad faith we've had from manipulative techies with their literalism and Fisking and all the rest to get their way.
There's lots more -- they find easily that they can have the case in New Jersey because the victims are in New Jersey -- but it is long. Geeks want to fine them for going over the word limit, but that's often what it takes to patiently debunk each and every one of the bad-faith arguments of the nihilist coders, as readers of this blog know only too well.
The prosecutors in the end decide they need not examine the whole "code-based restrictions" idea (as the only proper realm for the CFAA) because it "simply is not presented in this case" originally, only presented by the amici briefers.
Fishman and Moramarco in the end send the professors and hacker-enablers packing -- "the Amici should look to Congress and Not the Courts for the Particular Remedies They Seek". Indeed.
And no fair saying Congress is too stupid to understand technology. They have good lawyers there, real lawyers, and certainly plenty of help with technical expertise when they need it. And those lawyers will use the same simple, law-based arguments to overturn the manipulative griefing by Weev there was well.
Recent Comments