The Lesser of Two Weevs

Yesterday, Andrew Auernheimer (aka Weev), was sentenced for his 2012-08-16 indictment on one count of “fraud and related activity in connection with computers” (18 U.S.C. § 1030) and one count of “conspiracy to commit offense or to defraud” (18 U.S.C. § 371). This was the result of Auernheimer’s activities in 2010, where he manipulated a URL on an AT&T web site, and discovered an information enumeration vulnerability.

While a lot has been written the last 24 hours on this topic, mostly via 140 character Tweets, most stories aren’t covering the full range of issues surrounding this case. Some stories cover the harsh sentencing, while older stories cover the simplistic nature of the vulnerability found. What I find lacking are stories that put it together in context, to explain how absurd this is. There are three high-level components to this story.

The Vulnerability

Enumeration vulnerabilities come in a wide variety of formats. Via the web, they are often very simple and straight-forward. A web site serves up content specific to you, customer #1234. Poorly designed web applications will identify you as customer #1234 to the application using a variable that is passed via the URL you send to the server. For example:

/banking/account.php?date=20130317&account=checking&customer=1234

You can clearly see your customer number in the URL. What happens if you change 1234 to 1235 and submit it to the server? In this case, you go to jail for 41 months. No exaggeration, no bullshit. That is a basic example of an information enumeration vulnerability, due to extremely poor coding practices and absolutely no security review of the application.

The frequency of such vulnerabilities is disturbing. But not as disturbing as the multi-million dollar companies that are entrusted to protect hundreds of thousands of customer’s data. If you are browsing the web or using your banking application and notice the above, and casually change 1234 to 1235, who is the real bad guy here? You, or the corporation that decided not to employ the most fundamental security measures from the last thirty years?

The Crime

This aspect of the story is the perhaps the biggest disconnect for most readers. Instead of being exposed to the fundamentals, and the history of vulnerability discovery and how it influences disclosure, they get wrapped up in the media’s portray of Auernheimer. Yes, “weev” is a controversial character. He is an admitted Internet troll, an asshole of sorts, and a character of questionable repute. However, that doesn’t matter, at all. If being an asshole was a crime, all 18 people in the U.S. who weren’t would be left to read this.

So what did Auernheimer really do? He figured out an enumeration vulnerability in AT&T’s web site, that let him determine the entire iPad user database. This constituted some 114,000 iPad 3G users. What information did the AT&T site give up, that Auernheimer got access to? Email addresses. No full names, no physical addresses, no phone numbers, no credit information, no passwords. In case you weren’t aware, you can purchase 50 million email addresses on a single ISP for a whole $500.

Why the big deal? This is where it gets a bit murky, at least to an outsider. When a researcher finds a vulnerability in a product, service, or web site, they have several avenues for disclosure. First, they can sit on the information and simply not disclose it. This doesn’t protect anyone, because the idea that no one else will find it is absurd, and has been proven wrong many times over. Second, they can disclose it in a ‘responsible’ (poor term, commonly used) or ‘coordinated’ (better term, use it) manner, in which they work with the vendor to disclose it only when the vendor is ready, and the issue has been fixed. Third, they can disclose it without informing the vendor, or they can disclose it after informing the vendor but not waiting for a fix. Each of these scenarios happens every week, a hundred times over.

The average citizen, including jurors and judges, does not understand the history or intricacies of vulnerability disclosure. There are vendors and service providers that have a long history of not caring about vulnerabilities. That is, until it affects them in the public eye. A serious issue can exist for five, ten, or sometimes seventeen years, without being fixed. When the right light hits the ordeal, usually via a negative high-profile media article, the company suddenly takes an interest. If Auernheimer had reported this to AT&T directly and waited for a fix, there is a good chance it would have gone unfixed for months, possibly years. Every day that ‘coordinated’ disclosure happens runs the risk of someone with bad intentions finding the same issue.

Rather than go to AT&T and risk months of back-and-forth and/or waiting, Auernheimer opted to go to a media outlet. Why? Media pressure is one of the strongest motivations for a company to fix a vulnerability. One could argue that since the vulnerability was not very serious (again, just email addresses being disclosed), that going to a journalist instead of the company was not a big deal. Regardless of Auernheimer’s potential intentions regarding the embarrassment to AT&T, he took a route that would likely have the most success in getting the issue fixed.

The Sentencing

For his “crime”, Auernheimer was sentenced to 41 months in prison, 3 years probation, and ordered to pay $73,000 in restitution. Again, for showing how anyone could harvest a list of 114,000 email addresses. SC Magazine quickly wrote an article detailing 8 criminals that used computers in the commission of their crime, but received less prison time. I understand that courts are behind the times on computers, their use, abuse, and how to punish crimes related to them. I expect to see some discrepancy between sentencing in such cases. What I fail to understand is how a court can offer up such a sentence as compared to other crimes, that are certainly more destructive, and more heinous. Consider the following crimes and sentences, all handed down very recently:

  • Molesting 2 children can get you 14 months. [Source]
  • Child abuse can get you 32 months. [Source]
  • Manslaughter can get you as little as 42 months, just 1 month more than email addresses. [Source]
  • Possession of child pornography is good for 48 months, just 7 months more than email addresses. [Source]
  • Involuntary manslaughter, 50 month maximum per victim. [Source]

Perhaps the biggest comparison has been Auernheimer to the two Steubenville (Ohio) rapists who were sentenced for a total of three crimes, and collectively received less time. Trent Mays was convicted of raping a teenage girl, and ordered to spend “at least one year in an Ohio Department of Youth Services facility or until they are 21 years old“. Since Mays was was also convicted of having pictures of a minor in “nudity-oriented material”, he received 1 additional year. Ma’Lik Richmond, also convicted of raping a teenage girl, received one year in the Youth Services facility. Two rapes, and essentially one count of child pornography, and collectively they get 36 months, compared to the 41 Auernheimer received. More disgusting is what is being called the “rape culture”, where news outlets such as CNN were apologetic to the rapists, decrying the sentencing and claiming their “lives were over”. Perhaps if Auernheimer’s lawyers argued that he only “raped the AT&T system”, he would have received a year.

The Lesser of Two Weevs

Once again, forget about Auernheimer’s predilection for trolling or seeking to annoy people. That is entirely irrelevant to the case. He found a minor vulnerability on AT&T’s web site, he told a journalist who wrote an article about it, and AT&T fixed it. No one suffered real damage from his activity. He did not seek to profit from his activity. More interesting is that AT&T specifically wants bugs reported to them, which Auernheimer did about the same time as he notified the journalist. While he did not follow their desired process, both sides made their intentions clear; they want bugs fixed. In this case, they diverged in the method for effecting that change.

If Aurenheimer had tried to profit from his activity, I understand how the court would seek to punish him. If he sent emails to all 114,000 people defaming AT&T, or caused them to receive excessive emails, I would expect a harsher punishment. But given that a bank loan manager was recently sentenced to six months in prison for computer fraud in an attempt to increase her own lines of credit by more than $200,000, you have to wonder what other factors are at play here. Companies are frequently dealing with vulnerabilities, some disclosed directly to them, some exploited by bad guys, some reported via the media first. Why is the AT&T case so special?

It will be interesting to see how other crimes are dealt with in comparison. For example, the same day Auernheimer gets sentenced to prison, other anonymous researchers share their recent work that involved illegally accessing 420,000 systems on the Internet. In the United States, that constitutes 420,000 felonies.

That said, I for one am grateful that Aurenheimer reported the vulnerability, both to the media and AT&T directly. Given my personal history of dealing with vendors in vulnerability disclosure, I don’t blame him or any other researcher who opts not to work with a vendor. It is often a time-consuming and painful process, that typically challenges your faith that a company cares about security and their customers. In this case, we got the lesser of two Weevs; the one that wasn’t intent on pissing as many people off as possible. The one who didn’t opt to use the information for profit, that didn’t sell the list to criminals, that didn’t actively try to compromise AT&T systems. And for that, he will receive over three years in federal prison. Think about it.

10 responses to “The Lesser of Two Weevs”

  1. After quite a few Tweets in reply, a few things to clarify.

    1. I understand the ‘conspiracy’ angle, but don’t find it compelling at all. Thanks to @StyleWar for the link to the indictment: http://www.scribd.com/doc/113664772/46-Indictment Reading those chat logs, I don’t see how anyone remotely familiar with the Internet could believe it was a serious attempt to leverage the vulnerability for consulting work. The quoted material about Goatse Security, along with the repeated chat logs stating it was a troll, should make it clear. The comments about selling the email addresses do not appear to be sincere or serious to me.

    2. I began writing this late last night, and on the first line I accidentally used “charged” instead of “indicted” (fixed shortly after publication). If a simple and honest mistake like that makes you dismiss everything else, you are probably perfect for a jury.

    3. I brought up the Steubenville case only to point out the disproportional sentencing between rape and exposing some email addresses.

    4. No matter what happens, what is said by the court, or what happens to Weev, I view AT&T as criminally negligent in this matter. They either opted not to perform any security review of a production application that contained “sensitive” and “protected” data, or they did not perform due diligence in their hiring of a security consultant/employee to perform the review.

    • A well written piece m’man. Agreed on AT&T, But as much as you, and many others might fail to find the evidence on Weev compelling, the jury (who heard ALL the evidence) found it perfectly consistent with the truth of guilt.

      To recap:
      1) Andrew did not JUST disclose to A reporter. Suggesting he did, is misleading at best and false at worst.

      2) Andrew’s mouth (fingers) spoke the truth of both the law AND of his own conscience (by calling it ‘theft’) long before before a jury ever did. He convicted himself via IRC.

      3) Andrew (and others) would like to believe that the Internet is a place where you can yell “fire” in the theater without consequence, disparage and troll and bully, and slander, and lace speech with epithet, and then hide behind the liberty bought with the blood and conviction of those before them.

      ‘Trolling is harmless’ the intelligentsia say. It was research they say. He didn’t mean what he said they say. Well guess what!! The FBI, the DOJ, the NSA, the law, and the people who sit on juries are disagreeing LOUDLY .. Hear them, or fail to at your own peril.

      As for the rest of us – we can all rage against the river for flowing the wrong way, but if Andrew bets his future on the notion that a jury will understand how “lulsy” his actions were, we ought to be able to agree that he deserves the results of a fools bet. If he defies a judge’s order to hand over a device, and he attempts to flaunt a freedom he no longer holds, is there any disagreement about what he should expect? Is anyone honestly surprised that it’s head/desk?

      His moral and ethical center put him where he is. A vigorous prosecution won, and a vigorous defense was deeply set back deeply by 1-3.

      I’m as anxious as anyone to see how his appeal plays out. That will tell the true tale. For now, we part ways in this — I don’t find the evidence of a threat to liberty as compelling as the evidence of a threat to hubris …

    • One thing that needs to be kicked in the teeth is the garbage charge of “interfering with a protected computer”. Back when that law was passed in 1984, there was no Internet and the networked commercial computers were vital and very important. Now, any mom’n’pop web site store can be included under that law. Garbage!

  2. I can say that no security operator, legal or otherwise, should disclose anything now, unless it’s dumped to pastebin. It appears that you will be dealt with under the full weight of the ‘law’ so you might as well do as much damage to the corporate and .gov scum as possible.

Leave a Reply

%d