Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Saturday April 12 2014, @08:21PM   Printer-friendly [Skip to comment(s)]
from the lets-see-what-happens-now dept.

Andrew Auernheimer, aka Weev the grayhat security researcher and Internet antiblog troll was convicted for exposing a flaw in AT&T security which allowed the e-mail addresses of iPad users to be revealed.

The conviction was vacated Friday (2014/04/11) on the grounds of improper choice of venue, but the court commented anyway that "no evidence was advanced at trial" that "any password gate or other code-based barrier" was breached.

The defendant's attorney, Hanni Fakhoury, a staff attorney with the Electronic Frontier Foundation, said in an e-mail that a "retrial is barred by double jeopardy." If the authorities do seek a second trial, he said, "we will raise precisely that."

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by frojack on Saturday April 12 2014, @09:03PM

    by frojack (1554) Subscriber Badge on Saturday April 12 2014, @09:03PM (#30604) Journal

    Double Jeopardy is not likely to save him if the government wants to go after him. They will just charge him with other violations, some of which could be worse than those for which he was convicted.

    For instance, he did share email addresses and ICC-ID pairs. (But not passwords).

    Had he simply collected these, and explained how it was done, he would be ok, but sharing a list with Gawker violated New Jersey Law. Certainly New Jersey isn't the only state with such provisions, and the government need merely find another such jurisdiction and persue only the State Charges, and ignore the Computer Fraud and Abuse Act charges all together.

    They may find resistance from States to prosecute, (no actual user data was ever at risk, and states don't want to pay the costs of a trial and incarceration for a federal violation).

    Also, as the court said:

    “if venue is improper no constitutionally valid verdict could be reached regardless of
    the [potentially] overwhelming evidence against the defendant.â€

    Therefore, the feds could argue (in a twisted sort of logic) that he never WAS in jeopardy, because the verdict would have no validity.

    --
    No, you are mistaken. I've always had this sig.
    • (Score: 3, Insightful) by davester666 on Saturday April 12 2014, @09:21PM

      by davester666 (155) on Saturday April 12 2014, @09:21PM (#30609)

      Yes, this is like a bonus for the prosecution. It's a giant do-over, so it doubles the cost for the defendant. The prosecution knows they have bogus charges, this about squishing somebody, so the next person knows not to annoy a big corporation.

  • (Score: 3, Insightful) by zim on Saturday April 12 2014, @09:30PM

    by zim (1251) on Saturday April 12 2014, @09:30PM (#30610)
    If you find a giant wide open security problem..

    DON'T TELL ANYONE!

    Maybe try to sell it. Cash in and then forget all about it.

    Or maybe wait until someone else exploits it and it's big news of the day.. Come out and say 'yeah i found that 5 years ago and didn't tell anyone because jail sucks'.

    That might get you 15 minutes of fame.
    • (Score: 1) by unauthorized on Saturday April 12 2014, @10:15PM

      by unauthorized (3776) on Saturday April 12 2014, @10:15PM (#30615)

      The problem is that weev didn't just find the exploit. He brute-forced his way through the entire set of IDs in order to download all the user data. If he had only downloaded a few entries as a proof-of-concept, I would have been far more sympathetic to his circumstances.

      The lesson here is "don't exploit security more than it's necessary to prove that there is a problem" if you plan on telling everyone about it. Or at least have the common sense not to link the attack to your real identity.

    • (Score: 1) by opinionated_science on Saturday April 12 2014, @10:15PM

      by opinionated_science (4031) on Saturday April 12 2014, @10:15PM (#30616)

      any lawers out there know if it is legal to sell discovered security flaws to a private buyer?

      Those "black market" websites do it for illegally obtained information (e.g. credit cards), but of course they are illicit to start with.

      I only mentioned it because you mention

      DON'T TELL ANYONE!

      Maybe try to sell it. Cash in and then forget all about it.

      , and I had a vision of the Monty Python style "blackmail" game show!!!!

      • (Score: 1) by Horse With Stripes on Saturday April 12 2014, @10:55PM

        by Horse With Stripes (577) on Saturday April 12 2014, @10:55PM (#30622)

        Considering the government claims Weev broke the law when he "discovered" this security flaw, selling the information about the flaw would have been used as evidence against him as proof of his true intentions ("nothing 'accidental' about that, now is there, ladies and gentlemen of the jury?"). And motive is an element of the crime.

        Also, it's not inconceivable that a prosecutor would claim "any reasonable person can infer that the only way he could have proven the exploit worked to the buyer was by handing over some of the illegally acquired data". And thus he was not only profiting from his crimes by selling the exploits, but also selling personally identifiable data (or however the feds would label it).

        IANAL, and I don't watch the Law & Order reruns, but I'm pretty sure the prosecutors would try to show that selling the exploit was an overt act in furtherance of a criminal conspiracy. They would equate it to someone selling the plans to a bank, or the schedule of an armored car, to someone who was going to use that information to commit a robbery ("because there is no other reason for someone to purchase this type of information unless they were intending to use it to commit a crime").

        • (Score: 1) by opinionated_science on Saturday April 12 2014, @11:19PM

          by opinionated_science (4031) on Saturday April 12 2014, @11:19PM (#30628)

          google monty python blackmail, it is inspired farce for the modern age....!

          • (Score: 1) by Horse With Stripes on Saturday April 12 2014, @11:46PM

            by Horse With Stripes (577) on Saturday April 12 2014, @11:46PM (#30633)

            I can see the similarities ... and the potential for prosecutorial abuse ... all with lights, camera and a nude organist. Combine this with the "someone can sing about dancing talent" call in voting shows and I think we've got a winner. Add a cage match between Judge Judy & Nancy Grace, and they won't even need Ryan Seacrest.

            BTW, I found two different versions of the skit on YouTube. They used the same script (except for the identity of the caller at the end), but were shot on different stages, used some different actors, and had different pictures & film footage. Both needed to burn the organist's bench.

        • (Score: 2) by Angry Jesus on Sunday April 13 2014, @03:36AM

          by Angry Jesus (182) on Sunday April 13 2014, @03:36AM (#30676)

          > selling the information about the flaw would have been used as evidence against him as proof of his true intentions

          The only reason they even knew to persecute him was because he went public with the info. If he had just sold it, they would have never known to come after him. Even if the buyer exploited the information, unless someone else went public in a big way (e.g. talked to journalists rather than just used the info for criminal purposes), they would probably have just swept it all under the rug.

        • (Score: 2) by hemocyanin on Sunday April 13 2014, @06:08PM

          by hemocyanin (186) on Sunday April 13 2014, @06:08PM (#30816) Journal

          Depends on the buyer. If he sold it to the NSA, he'd get money, immunity, and a medal.

    • (Score: 1) by redneckmother on Sunday April 13 2014, @03:00AM

      by redneckmother (3597) on Sunday April 13 2014, @03:00AM (#30666)

      "Maybe try to sell it."

      Yeah, to the NSA. Yeah, that's it!

      Perhaps you've met my wife - uhhh, Morgan Fairchild! Yeah, that's the ticket!

      --
      Mas cerveza por favor.
      • (Score: 0) by Anonymous Coward on Sunday April 13 2014, @04:12AM

        by Anonymous Coward on Sunday April 13 2014, @04:12AM (#30686)
        The young Morgan Fairchild...