He seems to be unfamiliar with the legal process, and really needs to get a lawyer. From the partial scans of the US attorney's letter, it sounds like a federal grand jury would like to subpoena him as a witness to testify about the gathering of AT&T subscriber email addresses and "electronic chip IDs" (I think the letter is technically incorrect). The letter informed him that if he failed to appear he might also have criminal charges filed against him.
This is a normal part of the process of a federal criminal investigation. What happens first is that a grand jury is formed. The jury investigates evidence, calls witnesses, and tries to determine if a crime has been committed, and if so, who committed the crime. Then, the grand jury might issue a federal indictment, or it might just determine that no crime was committed and drop the case completely.
If he or someone else is federally indicted, then he would be formally arrested and have to go to federal court to stand trial as a criminal defendent. It sounds like it has not gotten close to this point yet.
Edit: I also wanted to mention that you have no right to an attorney as a witness of a grand jury. You may choose to have an attorney represent you and be present, however, the financial burden is in no way the federal governments to provide one for you. IF you are charged, then you may receive a public defender if you have insufficient financial means to pay for your own defense.
Federal cases take months and years to prosecute. By refusing to participate with the grand jury, he might be opening himself up to the fact that another witness could implicate him and he might be indicted. Of course, there is also the saying "if nobody talks, everybody walks."
He really needs to get good legal counsel and decide if he wants to testify in front of the grand jury, and decide what he wants to say.
Also, he's not helping his cause any by speaking out on the web. Mentioning his past anti-semite ramblings is also probably not the best way to gather sympathy.
I also think he does a disservice to the security community as a whole to advocate black hat ideology at hacker conferences, and then talk about "responsible disclosure" and how he was just trying to protect the poor customers of AT&T. This seems to be rewriting history.
and found is in quotes for a good reason, as the drugs “found” near
me were “found” in the execution of a warrant for computers only
For what it's worth, the Fourth Amendment protects against 'unreasonable' searches and seizures. Anything found in the reasonable execution of a search warrant is admissible.
I don't know where the myth came from that only evidence related to the probable cause of the warrant is admissible. This is an on-face absurd interpretation: by that logic, if the police entered a house to search for evidence of felony tax evasion and stumbled upon a murder in progress, that wouldn't be admissible because the police weren't in the house searching for a murderer.
There is plenty of case law establishing limits on reasonability. For instance, in the execution of a lawful search of an apartment looking for weapons, officers saw a stereo that 'didn't fit the furnishings'. They lifted up the bottom of the stereo to take down serial numbers, and the person was arrested for having stolen the stereo. The problem, of course, is that weapons aren't stored under the bottom of a flat-bottomed stereo, and certainly the serial numbers weren't a reasonable part of the search for weapons.
But having drugs out in the middle of the room in 'plain view' is clearly reasonable. Even from weev's own post, the drug evidence passes the Horton test.
if the police entered a house to search for evidence of felony tax evasion and stumbled upon a murder in progress, that wouldn't be admissible because the police weren't in the house searching for a murderer.
But they couldn't cite the murder as admissible evidence of felony tax evasion, it would need to be separate charges, wouldn't it?
Well, at least you were able to dodge the tax evasion charge by distraction/misdirection. Now, about this little murder thing...
I think it's shameful that no one has stepped up to provide him with free, top notch legal assistance. I'm relatively familiar with the case (I know weev personally, too), and he is actually not exaggerating. This is exactly the kind of case the EFF exists to defend. Yes, weev is a troll and a media whore, but that doesn't automatically make him wrong.
Goatse behaved in the industry accepted standard way in popularizing a security vulnerability -- full disclosure. I personally would have done the same (although I would not have kept illegal drugs at my residence after doing so, but I also would probably ventilate anyone breaking into my home without clearly announcing a warrant...)
> Goatse behaved in the industry accepted standard way in popularizing a security vulnerability
Well, as someone working in the security industry I take slight issue with this. They appear to have cashed in on the media coverage as much as possible rather than focus on proper disclosure practices. I (and a lot of people in my job, I think) would consider it just on the wrong side of unethical.
Why is it "shameful"? It wasn't clear whether or not weev even asked the EFF/others to defend. It seems like he only asked the judge for a public defender and was denied, and then he ranted about that for awhile.
Did he ask others to defend or at least give him some free consult/referrals? Did he get denied by them?
I don't think the EFF should be spending donated money defending black hats from potential criminal prosecution. There are far more white hats out there that have been unfairly targeted for true responsible disclosure. There are also a lot more important free speech issues to defend than your right to shout private AT&T account information in a public theater...
He definitely needs to get an attorney to prevent him from writing future statements/positions in public. Now whomever represents him will have a much harder time defending him since he's written an entire essay on the matter. Each and every word, sentence, statement, and position can and will be used against him.
You cannot just publish personal data and then call it 'free speech' and 'industry standard practice' of a 'journalist'.
Seriously .. where is the ethics in that?
How about actually trying to work with AT&T to get this fixed behind the scenes? Oh no, of course not, because that would not result in the right kind of exposure for these 'security experts'.
These things are all about ego and status. Hidden behind a thin shell of 'full disclosure'.
Testing/Evaluating/Disclosing an exploit isn't immoral in my mind, nor should it be illegal (in a perfect world).
Disclosing private details of third paries is certainly immoral in my mind, and should be illegal.
According to this logic publishing the exploit, so long as you're censoring output, is fine. If someone uses your exploit to download personal data, it's AT&T who is doing the immoral/hopefully-illegal disclosure. If that someone uses your exploit and then publishes the data or does some other naughty thing with it, book 'em.
You get moral brownie points under this logic if you notify the target after you discover the exploit. It's not required, because disclosure is notification. Nefarious-types aren't going to call up a bank to say "hey, we're stealing all your customer records", nor will they disclose this hole to the world.
Unpopular statement ahead: if you collect personal details, it's your job to secure your systems, and it's your fault if your systems leak them. Of course there's no such thing as 100% secure, but you're the one doing the risk analysis and design.
The problem with "responsible disclosure" is that a vendor can convince you not to disclose at all -- they can drag out the process of patching for months, and can try to convince you never to release the disclosure, or at least to wait until no one cares anymore, because some users may not have patched.
The purpose of disclosure is twofold: you want the vendor to fix the bug, but you also want the marketplace to take notice of the existence of the bug.
Knowing that Vendor M was informed of a bug and took 6 months to fix it, whereas Vendor L was informed of a bug and took 1 day to fix it, is useful to me when I'm evaluating an operating system vendor. The best way to have this information out there is to cause a big splash when you release it.
Fundamentally, the assumption is that white and gray hat hackers do not discover every bug out there. If you sit there and do semi-sophisticated static analysis on a lot of software, or fuzzing, you can discover a lot of 0-day vulnerabilities which no one has yet announced.
If end users don't feel pain from security vulnerabilities, they will not prioritize adequate security when they make purchasing decisions. Vendors with a strong security focus should support aggressive full disclosure of all vulnerabilities of all vendors.
Are you even remotely familiar with the facts of the case?
weev claims to have received the data from an unknown source.
He then has AT&T informed through a third-party.
After that has happened and AT&T has fixed the vulnerability, he gives the data to a journalist and deletes it.
The journalist then writes about it and includes a small, badly redacted portion of it.
So, in summary weev did not publish the data in any meaningful sense and did make sure that the flaw was fixed before going public. What exactly about this is unethical?
Maybe I'm just cynical, but it seems like working behind the scenes with the vendor doesn't seem to bear fruit very often. It's pretty frequent to read about companies that have ignored vulnerabilities until they're fully disclosed. Plus, AT&T doesn't exactly have a recent track record for keeping their network or services in good order.
Of course, the vulnerabilities that are fixed by working directly with vendors never end up the topic of news articles, so I'm sure it's not as cut and dry as an outside perspective would indicate.
I would agree that this seems to have been more about ego and status than an example of journalistic integrity and responsible security research.
That said, does the irresponsible disclosure of names attached to e-mail addresses justify what he's gone through, assuming a modicum of truth to his assertions of being denied a legal defense, gag orders, FBI raids, etc? In my personal opinion, his point that URL scraping is not in and of itself a crime is substantially true, and renders the subsequent raid unjustified. Whether that would render the drugs inadmissible or provide him any legal cover from that charge I certainly am not qualified to say.
On that note - could anyone point me towards literature on 'gag orders' in the course of U.S. justice? I'd be curious to read on the history and justification for these.
I don't know anything about the story, but right now, it somehow looks like he's quite a nutjob. Writing shorter, more precise and in a chronological order of the events would really help the text to be more understandable and get the point across.
The situation is probably quite stressful for him, but he somebody should really help him work on the text so others understand what it's all about.
He has some posts which suggest the FBI was bugging his apartment and covertly following him around town. This was months prior to the release of the iPad accounts. So, yes, I suspect he is dealing with some mental issues.
I am highly suspicious of the fact that this deals a lot with other cases and his past run ins with the government and very little with the actual case (at times it even seems to deliberately skip details).
As always; this is one side of the story and (thought I hate to say this) from a somewhat troublesome person. I think it is reasonable to treat this as a serious matter, but there needs to be a lot more objective insight before I'd send him some money :)
Has he contacted the EFF or other similar organizations? What's with all this defense of anti-semetism? Someone needs to proofread this. What's the call to action? If the domain name's not going to change, fine, but get rid of the giant anus illustration for such a plea. Yeesh.
Just because you don't "like" someone is no reason to violate the hell out of his rights. If they do it to him, they will do it to you. And your being "liked" won't help you one damned bit.
I'm still not convinced that his rights were violated. He says they are, but this is a guy who wrote a giant essay about his case, and then published it on the net, and ended it with a plea for donations/money. If I were in his shoes, I'd have spent the time calling the EFF to see if they can help, and asking for referrals. It almost seems like he is seeking attention.
Also, he seems to be able to obtain documents and requests from the gov to print online, yet also claims he can't get access to them but mentions some deadline. If you're not able to read the request/denied access to it, no judge will hold the deadline over you. That's just conspiracy/crazy talk.
Unfortunate site logo as well. Between his writing style, the content of some of his posts, and the choice of name and logo, I'm finding it very difficult to take this author seriously.
A goatse symbol as his logo, makes anti-israel videos, has drugs lying around his apartment, describes his own blog posts as excellent, and apparently publicized some type of private information.
This is not a housewife being attacked by a SWAT team, it's someone who is likely to drift in and out of such problems who happens to have drifted in.
There is no doubt some ego-based confusion in his mind. It's evident from the first sentences: "...I’m sure you’re all familiar with from my previous excellent blog posts"
I feel sorry for the dude. He is asking for our help via cash or writing to our local, state and national representatives. That's a rock and hard place.
[+] [-] illumin8|15 years ago|reply
This is a normal part of the process of a federal criminal investigation. What happens first is that a grand jury is formed. The jury investigates evidence, calls witnesses, and tries to determine if a crime has been committed, and if so, who committed the crime. Then, the grand jury might issue a federal indictment, or it might just determine that no crime was committed and drop the case completely.
If he or someone else is federally indicted, then he would be formally arrested and have to go to federal court to stand trial as a criminal defendent. It sounds like it has not gotten close to this point yet.
Edit: I also wanted to mention that you have no right to an attorney as a witness of a grand jury. You may choose to have an attorney represent you and be present, however, the financial burden is in no way the federal governments to provide one for you. IF you are charged, then you may receive a public defender if you have insufficient financial means to pay for your own defense.
Federal cases take months and years to prosecute. By refusing to participate with the grand jury, he might be opening himself up to the fact that another witness could implicate him and he might be indicted. Of course, there is also the saying "if nobody talks, everybody walks."
He really needs to get good legal counsel and decide if he wants to testify in front of the grand jury, and decide what he wants to say.
Also, he's not helping his cause any by speaking out on the web. Mentioning his past anti-semite ramblings is also probably not the best way to gather sympathy.
I also think he does a disservice to the security community as a whole to advocate black hat ideology at hacker conferences, and then talk about "responsible disclosure" and how he was just trying to protect the poor customers of AT&T. This seems to be rewriting history.
[+] [-] boredguy8|15 years ago|reply
I don't know where the myth came from that only evidence related to the probable cause of the warrant is admissible. This is an on-face absurd interpretation: by that logic, if the police entered a house to search for evidence of felony tax evasion and stumbled upon a murder in progress, that wouldn't be admissible because the police weren't in the house searching for a murderer.
There is plenty of case law establishing limits on reasonability. For instance, in the execution of a lawful search of an apartment looking for weapons, officers saw a stereo that 'didn't fit the furnishings'. They lifted up the bottom of the stereo to take down serial numbers, and the person was arrested for having stolen the stereo. The problem, of course, is that weapons aren't stored under the bottom of a flat-bottomed stereo, and certainly the serial numbers weren't a reasonable part of the search for weapons.
But having drugs out in the middle of the room in 'plain view' is clearly reasonable. Even from weev's own post, the drug evidence passes the Horton test.
[+] [-] cschep|15 years ago|reply
http://en.wikipedia.org/wiki/Plain_view_doctrine
[+] [-] sp332|15 years ago|reply
[+] [-] thwarted|15 years ago|reply
But they couldn't cite the murder as admissible evidence of felony tax evasion, it would need to be separate charges, wouldn't it?
Well, at least you were able to dodge the tax evasion charge by distraction/misdirection. Now, about this little murder thing...
[+] [-] rdl|15 years ago|reply
Goatse behaved in the industry accepted standard way in popularizing a security vulnerability -- full disclosure. I personally would have done the same (although I would not have kept illegal drugs at my residence after doing so, but I also would probably ventilate anyone breaking into my home without clearly announcing a warrant...)
Free weev!
[+] [-] ErrantX|15 years ago|reply
Well, as someone working in the security industry I take slight issue with this. They appear to have cashed in on the media coverage as much as possible rather than focus on proper disclosure practices. I (and a lot of people in my job, I think) would consider it just on the wrong side of unethical.
[+] [-] ttol|15 years ago|reply
Did he ask others to defend or at least give him some free consult/referrals? Did he get denied by them?
[+] [-] illumin8|15 years ago|reply
[+] [-] iambvk|15 years ago|reply
[+] [-] ttol|15 years ago|reply
[+] [-] st3fan|15 years ago|reply
You cannot just publish personal data and then call it 'free speech' and 'industry standard practice' of a 'journalist'.
Seriously .. where is the ethics in that?
How about actually trying to work with AT&T to get this fixed behind the scenes? Oh no, of course not, because that would not result in the right kind of exposure for these 'security experts'.
These things are all about ego and status. Hidden behind a thin shell of 'full disclosure'.
[+] [-] furyg3|15 years ago|reply
Testing/Evaluating/Disclosing an exploit isn't immoral in my mind, nor should it be illegal (in a perfect world).
Disclosing private details of third paries is certainly immoral in my mind, and should be illegal.
According to this logic publishing the exploit, so long as you're censoring output, is fine. If someone uses your exploit to download personal data, it's AT&T who is doing the immoral/hopefully-illegal disclosure. If that someone uses your exploit and then publishes the data or does some other naughty thing with it, book 'em.
You get moral brownie points under this logic if you notify the target after you discover the exploit. It's not required, because disclosure is notification. Nefarious-types aren't going to call up a bank to say "hey, we're stealing all your customer records", nor will they disclose this hole to the world.
Unpopular statement ahead: if you collect personal details, it's your job to secure your systems, and it's your fault if your systems leak them. Of course there's no such thing as 100% secure, but you're the one doing the risk analysis and design.
[+] [-] rdl|15 years ago|reply
The purpose of disclosure is twofold: you want the vendor to fix the bug, but you also want the marketplace to take notice of the existence of the bug.
Knowing that Vendor M was informed of a bug and took 6 months to fix it, whereas Vendor L was informed of a bug and took 1 day to fix it, is useful to me when I'm evaluating an operating system vendor. The best way to have this information out there is to cause a big splash when you release it.
Fundamentally, the assumption is that white and gray hat hackers do not discover every bug out there. If you sit there and do semi-sophisticated static analysis on a lot of software, or fuzzing, you can discover a lot of 0-day vulnerabilities which no one has yet announced.
If end users don't feel pain from security vulnerabilities, they will not prioritize adequate security when they make purchasing decisions. Vendors with a strong security focus should support aggressive full disclosure of all vulnerabilities of all vendors.
[+] [-] mukyu|15 years ago|reply
weev claims to have received the data from an unknown source.
He then has AT&T informed through a third-party.
After that has happened and AT&T has fixed the vulnerability, he gives the data to a journalist and deletes it.
The journalist then writes about it and includes a small, badly redacted portion of it.
So, in summary weev did not publish the data in any meaningful sense and did make sure that the flaw was fixed before going public. What exactly about this is unethical?
[+] [-] dlytle|15 years ago|reply
Of course, the vulnerabilities that are fixed by working directly with vendors never end up the topic of news articles, so I'm sure it's not as cut and dry as an outside perspective would indicate.
[+] [-] Pahalial|15 years ago|reply
That said, does the irresponsible disclosure of names attached to e-mail addresses justify what he's gone through, assuming a modicum of truth to his assertions of being denied a legal defense, gag orders, FBI raids, etc? In my personal opinion, his point that URL scraping is not in and of itself a crime is substantially true, and renders the subsequent raid unjustified. Whether that would render the drugs inadmissible or provide him any legal cover from that charge I certainly am not qualified to say.
On that note - could anyone point me towards literature on 'gag orders' in the course of U.S. justice? I'd be curious to read on the history and justification for these.
[+] [-] Sujan|15 years ago|reply
The situation is probably quite stressful for him, but he somebody should really help him work on the text so others understand what it's all about.
[+] [-] datasink|15 years ago|reply
He has some posts which suggest the FBI was bugging his apartment and covertly following him around town. This was months prior to the release of the iPad accounts. So, yes, I suspect he is dealing with some mental issues.
[+] [-] unknown|15 years ago|reply
[deleted]
[+] [-] dlytle|15 years ago|reply
I'd be interested to see an analysis by someone who knows more about the law than I do.
[+] [-] mfukar|15 years ago|reply
Really? Are you really going for this elementary school argument?
Doesn't help when you distort the concept of 'full disclosure' and related practices, either.
No sympathy vote from me.
[+] [-] ErrantX|15 years ago|reply
As always; this is one side of the story and (thought I hate to say this) from a somewhat troublesome person. I think it is reasonable to treat this as a serious matter, but there needs to be a lot more objective insight before I'd send him some money :)
[+] [-] st3fan|15 years ago|reply
What he needs to do is get proper legal counsel.
[+] [-] altano|15 years ago|reply
Has he contacted the EFF or other similar organizations? What's with all this defense of anti-semetism? Someone needs to proofread this. What's the call to action? If the domain name's not going to change, fine, but get rid of the giant anus illustration for such a plea. Yeesh.
[+] [-] furyg3|15 years ago|reply
[+] [-] mikecane|15 years ago|reply
[+] [-] ttol|15 years ago|reply
Also, he seems to be able to obtain documents and requests from the gov to print online, yet also claims he can't get access to them but mentions some deadline. If you're not able to read the request/denied access to it, no judge will hold the deadline over you. That's just conspiracy/crazy talk.
[+] [-] phreeza|15 years ago|reply
[+] [-] daten|15 years ago|reply
[+] [-] openfly|15 years ago|reply
[+] [-] jeb|15 years ago|reply
This is not a housewife being attacked by a SWAT team, it's someone who is likely to drift in and out of such problems who happens to have drifted in.
[+] [-] stcredzero|15 years ago|reply
[+] [-] eplanit|15 years ago|reply
[+] [-] skn|15 years ago|reply
[+] [-] superk|15 years ago|reply