From my understanding all you had to do was pass the ICC-ID to a script on AT&T's servers to get back the user data. I can see the court interpreting the ICC-ID as a form of access control since you'd have to guess them similarly to passwords.
What isn't quite clear to me is what they did with this data. It seems they reported the hole to AT&T who then fixed it. That's good. It also seems they passed the data off to reporters, which may be bad for their case. It seems like they acted, at least mostly, responsibly.
Assuming the data was never released to the public I don't think they should be prosecuting Auernheimer. That said, it does seem like they have a case based on the wording of the law.
It's a very real possibility that he's facing jail time, especially when you consider the volume of data. He's charged with breaking 18 USC § 1028A (aggravated ID theft laws) which carries a mandatory minimum of 2 years. Federal judges have some control over this but generally stick with sentencing guidelines. He could fight it and win, get them to reduce the charges, or do some serious work for the gov and hope the judge goes easy on him.
Note: I was convicted of violating 18 USC § 1028A (among other laws) so I have personal experience with this law, sentencing guidelines, and judge discretion but IANAL.
The ICCIDs here are sequential integers. It wasn't brute force, just incrementation. They are not secret and are certainly not access credentials. There were no access controls surrounding the web service in question.
The prosecution is asserting that access to any system without authorization is "access to a protected system" in the legal sense, which is obviously bogus. This would make the Googlebot's operators criminally liable if I put up a site at "johndoessocialsecuritynumber.com".
In fact, authorization is built into HTTP. There were no protections in place surrounding this data. Regardless of what he did with the data, downloading something from a public website is not criminal. (Though irrelevant legally, it's worth noting that he did nothing with the data except shame AT&T.)
(I put up weev's bail and am handling some of his PR while his computer restrictions are in place.)
No, it wouldn't expose Google to that liability, because Google would have no intent to access information of any sort, let alone information that Google would have reason to believe it shouldn't have access to. The crimes charged here aren't strict-liability; the prosecution is required to prove intent.
Also: the authorization "built into" HTTP is used by a tiny minority of all web applications. Clearly, if you break into a retail brokerage and execute trades on behalf of other people, you're going to be liable, regardless of how that retail brokerage chooses to authenticate access to the site.
(I don't have a position about this particular case; I know virtually nothing about it).
It wouldn't expose Google to that liability because Google is a large US corporation.
If it were a single greyhat individual with a history of unpopular speech, the argument would probably go something along the lines of "any reasonable person wouldn't spider the whole web, because they'd know they'd eventually get SOMETHING they're not authorized to access..."
I'm just stating facts. The prosecution is required to prove that the defendant not only exceeded their authorization to the application in question, but that they did so knowingly.
In practice, you're unlikely to be charged for good-faith testing of someone else's system without their permission, especially if you're not an idiot and you don't ransom off your findings to the company. Also, many sites explicitly offer permission to security researchers to test their sites.
However, I believe it remains black-letter illegal to "test" websites for security flaws in such a way where you actually exploit flaws and gain access to internals or sensitive data.
Either way, don't do it. If you don't have permission (Google, for instance, gives blanket permission for testing), don't fuck with other people's web apps. It's very difficult to ensure that any kind of security testing, outside of really basic stuff like CSRF, won't disrupt the site; even silly XSS vectors can get cached in backends and replayed to other customers. You're unlikely to pick up a felony charge for doing this, but you can be sued.
I'm guessing that sneak wasn't referring to HTTP Basic Auth, but rather the fact that when an HTTP client says "GET", the server effectively says "HOW MUCH?" (A crude allusion to the classic "jump/how high?") I think sneak is arguing that receiving a response to an isolated GET request implies that the GET request was "authorized."
Edit: after reading selections of IRC logs and e-mails from the indictment, my sympathy with weev has been reduced. Granted, an indictment will select the most salacious excerpts to make its case in the strongest way possible, but the conversations in the indictment are far from white hat (unless the defendants manage to convince the court that their talk of phishing and spamming was merely juvenile humor).
I understand what he's saying, but a legal defense based on the response to an HTTP GET constituting de facto permission to access whatever that URL addresses is going to be disappointed. I'm not saying the defendant here is guilty; I'm just saying, he's not not guilty simply by reason of HTTP.
As a matter of law, the onus is not on the operators of web applications to ensure that their defenses are effective. If you do something stupid in your web app, but it remains clear to me that I'm not meant to access whatever your stupid app failed to prevent me from accessing, I can still be charged with a felony for doing it.
Now, if whatever it was that you tried and failed to protect wasn't obviously protected, so that I can argue in court that a reasonable person would have believed they did have permission to interact with it, I'll probably win in court. The prosecution will no doubt collect all my emails and any other piece of evidence it can find to build a case that I knew I wasn't supposed to hit your site that way. If you were especially dumb, and built an application that not only exposed sensitive information, but did so in a way that any normal person would just have assumed that sensitive information was theirs for the taking, the prosecution will have a hard time making their case.
Do you really buy this line of argument? How many banking applications configure themselves so that they rely on the intended meanings of HTTP verbs and authorization headers as their primary overt security mechanism? And of those, how many do so correctly?
I get why Bratus would testify. The defendant here needs all the help he can get and is morally entitled to the best case he can possibly present. I respect and admire everyone who is trying to help him out. But presuming he's not guilty of a real conspiracy to defraud anyone, I have a hard time believing it's because AT&T's web application vulnerability entitled the public to their database.
I think it's reasonable for them to argue that AT&T's server's willingness to give them the e-mail addresses means that obtaining the addresses was not illegal, and that despite mulling over the darker possibilities available to them, by choosing not to put the e-mail addresses to illegal use they committed no crime. They could argue that they should not be convicted of conspiracy because they ultimately decided not to abuse the list of addresses.
I would like it to be harder than it seems to be to prove conspiracy to commit fraud.
I don't think I'd like it to be harder than it seems to be to prove unauthorized access.
I know that's the opposite of what most nerds like me want, but I think we're well served by a very broad definition of unauthorized access, and we're poorly served by vague conspiracy laws in more places than just online.
Note that under the US Code, you need both elements. Just plain unauthorized access isn't a federal crime; you need an intent to defraud.
I know that's the opposite of what most nerds like me want, but I think we're well served by a very broad definition of unauthorized access, and we're poorly served by vague conspiracy laws in more places than just online.
I do agree with you regarding conspiracy, but you are right that I would in principle prefer to have every Internet-facing system as robustly secured as if it had been independently reviewed by you, cpercival, and the people who wrote the space shuttle's software. A small part of the reason I want this is so that absolutely anybody can confidently write and deploy scraping software that collects and analyzes information in new ways (e.g. IBM Watson, better search engines, or some other as yet undiscovered idea).
The CFAA does not in practice prevent search engines from scraping pages. In order to be charged under the CFAA, you must willfully access specific information on a website in furtherance of a fraudulent scheme, which in turn means you must be making specific representations as to your identity or actions that a website could reasonably rely on in order to trick that website into doing something it wouldn't have done otherwise. In CFAA cases, the prosecution must prove not only unauthorized access (which is easy) but also fraud (which is not as easy).
I do. If there is any crime here (I don't think there is even one, FYI) it's AT&T not taking adequate measures to safeguard their customers' PII.
I don't think trafficking in any information should be a crime, though (unless it's the government - an asymmetry is necessary there), so I don't think a criminal trial is in any way justified.
> regardless of how that retail brokerage chooses to authenticate access
There was no other authentication system aside from HTTP in place in this case.
If that's the only one, and it's wide open, any reasonable person knows that the information there is public. That's how the web works. We're allowed to load URLs on planet Earth.
I understand where you're coming from, but that logic doesn't really work, does it? I can tell you that somewhere there is indeed an application that will respond to an unauthenticated GET request by transferring funds between accounts. You and I both know that. Deliberately loading that URL on planet Earth to effect funds transfers will get you charged.
So it's obviously more complicated than just "any unauthenticated URL must be fair game".
I am currently employed in the banking industry, and live in Charlotte, NC–a major banking center. I can confirm that bugs of this nature exist, and are in fact, not even uncommon.
I guess maybe the disconnect here is, and help me understand, but why did he need to gather 110k email addresses?
If he never had any intention of using them, or just wanted to publicize the breach, why not gather two or three and then go to the press?
I guess an analogy might be - I see a bunch of boxes on the curb outside a doctor's office. I open one up and look at the first manila folder - it's someone's medical records. I open the second, it's also medical records.
If I take those two to go show a reporter, or yell at the doctor's office, I'm ethically clean. But if I take the boxes home with me, I'm in a much trickier legal and ethical situation, as why did I need to take the records home?
In computers, the only quantities that matter are zero, one, or many. My guess: weev wrote a script that incremented IDs just to see what would happen, it ran for a short time, and... whoops, there's 110k addresses there!
It's difficult to analogize this to the physical world; maybe you could say that you are the garbage collector, so your automated truck picking up one box of trash that happened to contain medical records is the same as picking up all the boxes, but that's still far from a perfect analogy.
"The Account Slurper attached AT&T's servers for several days in or around June 2010, and was designed to harvest as many ICC-ID/email pairings as possible."
This is the indictment, so not proven, but the period for which the script ran is probably accurate. So nah, not a short time.
There's also some great IRC logs later on where they're talking about using the collected email addresses for phishing, debating whether or not it's worth the effort if they don't get passwords, and talking about selling the resulting email database.
I just glanced through the indictment linked above and the IRC log snippets are extremely damaging. Very hard to make the case that this is a purely innocent whistle blower. Maybe its just trash talking among friends on IRC, but it will sound very, very bad when read in court.
Those are the things they DISCUSSED doing - what ACTUALLY HAPPENED was that they sent excerpts to the media and deleted their own copies.
It looks bad but I think it's more important to focus on the fact that they ended up doing the Right Thing with the data instead of fucking anyone directly - even when distinctly aware of the various opportunities available for misusing that data.
Many greyhat researchers don't have those ethics or morals.
That's why they've been charged with "Conspiracy", isn't it? The elements of federal Conspiracy:
(1) An agreement between two or more persons to commit at least one crime.
(2) A person joining the conspiracy knowing of at least one of its objects and intending to help accomplish it.
(3) One of the members of the conspiracy performed at least one overt act for the purpose of carrying out the conspiracy.
So, here:
1. Let's build a database of stolen AT&T email addresses associated with iPads and then sell them to spammers.
2. Here, run this script as I adjust to to increase the number of accounts it successfully finds.
3. Oh, look, I ran this script and got 100,000 email addresses.
Not good, right?
Look, if you read Spitler's indictment, it really doesn't seem like this particular conspiracy wanted to do anything but troll a huge company with thousands of people's personal information. I don't have a whole lot of sympathy for the defendants here, but it does seem like an injustice that could have been addressed in civil court.
It seems like a stretch to convince a jury that these people really wanted to sell the information they collected.
On the other hand, I think the idea that AT&T made this information available to the public in such a manner that you could have in good faith harvested hundreds of thousands of addresses is pretty much bunk. It's not going to help that A.A.'s first instinct was to run to the media because simply having the addresses was such a big story that they'd be on the front page of NEWS.GOOGLE.COM. He more or less immediately made clear to everyone that he knew he had no business handling that data.
It's debatable whether or not they did the right thing. Many security researchers would say that the right thing would have been telling AT&T first, giving AT&T a reasonable amount of time to respond, and only then going to the media.
This also speaks to motives. At the end of the day, I don't really care whether or not weev is a good guy. I do think it's important to be really clear about why he does the things he does, because otherwise you're not having the real conversation. IMHO, it's more important to protect jerks than it is to protect nice guys. It's harder to protect jerks.
Therefore, you're doing the community a disservice if you paint weev as an angel. Let him be who he is. Then defend him if his case merits it.
Tangentially, "many greyhat researchers don't have those ethics or morals" is irrelevant. The question at hand is whether or not weev acted morally, not whether or not he did better than average.
I don't see 'sneak doing anything but saying that A.A. was hit very hard by the Justice Department, and that he deserves the best possible defense and, in the meantime, the least possible disruption to his life. I wouldn't have coughed up bail money, but I admire the hell out of 'sneak for doing that.
He did also claim that weev did the Right Thing. I don't think that assertion is clearly accurate.
It's entirely possible that I'm focusing too much on motive; possibly the end effect (hole fixed) matters more than why weev did it in the first place.
Point of information: did weev or anyone at Goatse Security report the hole to AT&T, or did they just send the information to the media? None of the reporting I read at the time said that they reported to AT&T, but I could easily have missed something.
According to Spitler's indictment, they did not; in a captured IRC chat, A.A. told another member of his group explicitly that he had not reported the breach to AT&T.
What isn't quite clear to me is what they did with this data. It seems they reported the hole to AT&T who then fixed it. That's good. It also seems they passed the data off to reporters, which may be bad for their case. It seems like they acted, at least mostly, responsibly.
Assuming the data was never released to the public I don't think they should be prosecuting Auernheimer. That said, it does seem like they have a case based on the wording of the law.
It's a very real possibility that he's facing jail time, especially when you consider the volume of data. He's charged with breaking 18 USC § 1028A (aggravated ID theft laws) which carries a mandatory minimum of 2 years. Federal judges have some control over this but generally stick with sentencing guidelines. He could fight it and win, get them to reduce the charges, or do some serious work for the gov and hope the judge goes easy on him.
Note: I was convicted of violating 18 USC § 1028A (among other laws) so I have personal experience with this law, sentencing guidelines, and judge discretion but IANAL.