Also don't forget that Weev was considering selling the info he got, before he decided to be lazy and just tell the world. So not only is he a massive troll, but his motives for the "hack" were also less than saintly.
You can, in fact, forget that. We should judge people to be criminals or not based on their actions, not their daydreams.
Also, how is it lazy to create a media shitstorm and get your house raided versus making some free money quickly and quietly? Are you really trying to frame his turning down free money as the MORE disdainful choice?!
We don't criminalize daydreams. And I'm not suggesting that we should.
However, we do take motivation into account with a great many crimes. For example, if you kill someone, your intentions, and how long you've had them, affect whether you get charged with manslaughter or murders 1 through 3.
To try and define the term "daydream" as being equivalent to "make solid plans" so that you can equate daydreaming with criminal conspiracy is some of the most tortuous logic I have seen in a while. Have you ever thought of a job as a government press secretary? You'd fit right in.
Trying to define "talking to your friends about how you're going to sell stolen information" as being equivalent to "daydream" is the tortuous logic I was responding to. Please read the entire thread and not just comments you don't agree with.
I did read the whole thread and I just read the published transcripts.
He does not say that he is going to sell stolen information.
He does remark on irc that the information is valuable and could be sold or used for a phishing operation, but that is an observation of reality, and can not be taken as a statement of intent without some other evidence showing that he was likely to pursue that course of action, and given that he then handed the list to gawker it would seem that this was not his intent, though the possibility had obviously crossed his mind.
To consider the possibility of indulging in criminal behaviour is not the same as planning to do so.
<devil's advocate>If you "consider" stealing thousands of credit card numbers, break into a business and collect all the required data, then get lazy before you get around to incurring fraudulent charges and just boast about it instead, perhaps you _do_ deserve jail time</devil's advocate>
weev fucked up - and he _knew_ he was "fucking up" when he went from "finding a vulnerability" to "automatically exploiting that vulnerability to collect as much data as he could". Felten, Blaze, Schneier, Kaminsky - they would all have tried incrementing the get parameter - when it worked they would all have tried a bunch more times to confirm their assumptions, none of them would expect to get away with subsequent wholesale download of AT&T's customer data. Neither should weev.
IIRC, all he would have been selling is email addresses that are known to belong to iPad owners with AT&T as a provider. I don't recall that he had any credit card info.
Yeah sure. That's what the devil's advocate tags were about. I was arguing reductio-ad-absurdum - for some crimes, half carried through preparations should be punishable even if the intended "end crime" never got carried out.
I'm not suggesting weev was after credit cards or intending to commit fraud. But I stand by me second para - that Kaminsky or Blaze wouldn't have downloaded the entire database after confirming the vulnerability works - and weev should have known he was "doing something wrong" when he chose to. I agree that AT&T (and the prosecutors here) are _seriously_ overreacting, but weev was a fool if he didn't expect _any_ adverse reaction.
The mother that drove her daughters' friend/rival to suicide via fake MySpace profiles should have known that what she was doing was wrong, but a conviction for her on the grounds that using a fake name violated MySpace's Terms of Service, and is therefore 'hacking' under the CFAA is just bad law. Making bad law to punish someone that was doing something 'bad' is a net-loss to society, not a net-win
This stinks to me of AT&T and their legal team trying to make them look like "the victim" - where in truth their subscribers are he aggrieved parties here and AT&T are as much in the wrong from he subscribers point of view as weev is.
If the man is actually guilty of a crime, convict him of that crime. If not, don't.
What you're saying is that we should convict innocent people of crimes they haven't committed because we don't like them. Do you not see the problem with that?
