So far it's only Weev (and his lawyer) saying that tweeting is the reason for being put in solitary.
Like the article says,
> According to the National Institute of Justice, "administrative segregation" is a synonym for solitary, and is reserved:
> for violent or disruptive behavior. AS typically involves single-cell confinement for 23 hours daily; inmates are allowed one hour out of the cell for exercise and showers.
That disruptive sticks out. It fits Weev pretty well.
I wouldn't be surprised if he's alone to protect himself.
Disruptive behavior includes pissing off the guards with wisecracks and a smug air of intellectual superiority. I'd bet $10 to 1 that's why he's in there.
Wisecracks can probably be defined, but what exactly is "smug air of intellectual superiority"? I have seen people accused of that for merely wearing glasses and using words not in the accusers vocabulary. It is arbitrary as hell.
Let's say he was making fun of the guards for all having G.E.D.s though.... putting somebody in solitary for that is abhorrent.
They're prison guards. It would be amazing if they didn't do stuff like that. I'm assuming Weev is in a federal prison so at least he's not likely yo be raped.
I wouldn't trust weev's perspective on this right now; his world is currently being specifically controlled by design to maximize his "rehabilitation" by keeping him in a state of constant stress. His lawyer's job is (literally, if you read his law society's rules) to create controversy while facilitating his client through the legal system, because the Lawyer ultimately works for the Courts first, the People second, and his Client third. Weev is not receiving accurate/valuable information while in jail (guards aren't going to tell you why they're moving you), and his lawyer is probably more focused on appeals than his treatment in jail. You will probably not see a mention of this segregation anywhere in the Defendant's future filings.
More than likely, someone got wind in General Population that he was a computer nerd, and an easy mark. he was probably moved to "Administrative Segregation" in order to protect him. Often, effeminate or homosexual males will be put in some sort of protective custody. This segregation is regularly done for retaliation, but all things considered, it's better than the alternative: Guards look the other way while people up for murder/abuse you in your cell.
The downfall of most Administrative Segregation is that the prisoner is now amongst the other segregated prisoners. usually, these prisoners are heavily-drugged, and wander aimlessly, unless they're being lined up for another dose of drugs. This tends to put the observing prisoners in a deep state of depression. I have personally witnessed (within a 2 week period of solitary) more than 10 people break down and ask the guards for drugs, because they were feeling suicidal in the protective environment.
Honestly, it's like sleeping and eating in your bathroom. I hope weev doesn't lose sight of that fact amongst all the "correction" he's experiencing.
1. Does being a cretin or a jerk or whatever mean it is OK to be imprisoned for non-crimes?
2. He wasn't the one who started the comparisons with Aaron Swartz, from weev's tweet: "CNN is also sitting around calling me a meanie. I'm a bad troll, and no Aaron Swartz, the outraged masses cry!" Then he goes on to continue differentiate himself from Aaron, he never created or invited a positive comparison.
3. The article said he was sending messages to another person who was tweeting on his behalf. Why would he lose his right to free speech just because he has been convicted of a crime? Why wouldn't he be able to tweet (by proxy)?
In the USA the moment you're convicted of a federal crime your rights go right out the window, some of them permanently. In some states you lose the right to vote. You lose all 2nd amendment rights (the right to bare arms) for life unless pardoned by the president no matter what the crime was.
As for tweeting from prison, I have no idea what he was thinking.
Is it illegal to do so? What forms of communication are and are not legal when incarcerated?
(Of course, he certainly could have tweeted via an illegal manner. But it's not clear to me on the face of it whether tweeting while convicted is a crime.)
According the the article, it appears that he tweeted by using the (legal to access) system for sending e-mails, and someone else tweets them for him. Unless he has a restriction on using computers / the internet as part of his sentence, I have a hard time imagining how that is illegal.
According to the Federal Bureau of Prisons website, "Email correspondence may not jeopardize the public or the safety, security, or orderly operation of the correctional facility. Additionally, it may not exceed 13,000 characters (i.e., approximately two pages). Correspondence that is not consistent with these restrictions will be rejected."
That length restriction seems really bizarre to me. Is the purpose of that just to prevent their mentally ill inmates from bombarding the public with massive manifestos?
Does that limitation also exist for traditional non-electronic letter? Are inmates allowed to publish books from prison? I'm aware of the Son of Sam Law, which forbids profiting off the story of your crime. That seems to indicate that other stories are okay, but I am not sure.
> That length restriction seems really bizarre to me. Is the purpose of that just to prevent their mentally ill inmates from bombarding the public with massive manifestos?
The purpose is to keep organized crime leaders from continuing to run their networks while incarcerated.
I'm not sure about that. The more likely reason is that someone has to read those emails and authorities did not want it to become a huge burden on the reviewers.
I think they limit the length so that the emails can be examined. You wouldn't want someone DOSing the wardens and sneaking a message out via the whitespace characters.
Yeah, I'm with the other reply, you and too many other people here are saying "Weev was a jerk".
Yeah? Well I think you're a low-life for making decent treatment conditional on your LIKING of someone, especially since I highly doubt you've met him or seriously interacted with him and like everyone else on here are just talking out your ass.
Unless you have something to add - you're the noise, not the signal - mister "tremendous cretin".
I can only wonder whether he is accomplishing anything with this. Not judging, I really have no idea.
He seems a little immature and kind of obnoxious, even if his goals appear to be laudable. Maybe that's what it takes to get the attention the CFAA needs in order to be reformed.
Based on reports¹², weev is super-malevolent, helping drive blogger Kathy Sierra off the internet, being president of a group I won't even name here, saying "I hack, I ruin, I make piles of money. I make people afraid for their lives", stealing people's social security numbers, and so forth. If you think his goals are laudable, please read a bit more about his goals.
I think any further attention he brings onto the CFAA can only serve to ensure it is maintained or even strengthened.
I just don't see how a skilled computer hacker (in the original sense of the term) in jail for computer-related crimes, who goes on to get access to Twitter from prison, will put a positive light on CFAA reform efforts for the average American.
I understand the need to monitor communication in prisons I mean you never know how a drug dealer will give commands to his gang but seriously this guy is not a drug dealer.
He should be allowed to communicate with the outside world unless the prison has something to hide. (See that logic works backwards as well)
We are so used to the government telling us our communication should be monitored unless we have something to hide but how about we apply that to them.
If what is said in the article is correct, I don't see what was wrong with "him tweeting". He sent messages via a prison-approved method to someone outside who tweeted on his behalf.
Do prisoners automatically retain the right to access online services? No. But why should they be denied the right to ask people in the outside world to use these services (which are completely legal - it's not like he was asking them to do anything dodgy) on his behalf?
Just because the title makes it sound like he sneakily found a way around the system, this really isn't a big deal, he didn't break any rules, he didn't even find any loopholes, he just did what seems to be perfectly allowed. (Unless the article is neglecting to mention why it would not be allowed.)
Weev is a massive tool, but (if his lawyer's speculation is correct) why do you feel that asking someone to post a tweet on your account warrants solitary confinement? What makes it worse than writing a letter to a newspaper, writing a book and having it published while in jail, or just speaking to someone and asking them to pass a message onto friends/family - all of which happen without outcry.
If it's prison-approved then it's true that stuff ending up on Twitter (which is how I'd phrase it rather than 'weev posting to Twitter') should not land him in solitary.
But that is weev's theory for why he landed in solitary; there may be alternative reasons (e.g. joking about killing himself, disruptive behavior with other inmates, etc.)
Sure, it's possible he's in solitary for killing 20 prison guards, but this article and these comments are on the theory that it's for tweeting, and the person I replied to suggested that this alone warranted solitary confinement.
>and why on earth would anybody be outraged or otherwise incensed by this?
I think any decent person should be outraged by the idea of someone being put in solitary confinement for reasons other than being a danger to themselves or others. Even granting the point that he should have known this would happen (a point I'm not quite ready to concede), that doesn't make it any less deplorable.
Rosa Parks should have known that she would be arrested if she didn't give up her seat. That doesn't make it OK that she was.
Prisoner or not, would expect things to be legal unless stated otherwise by a specific law. Is there a law that makes it illegal for someone to tweet on behalf of a prisoner? I'm genuinely curious about that.
The government wants to suppress hackers from distributing identity theft information out and about so that ATM harvesting (an exploding business) continues to be out-of-control.
But the problem is, the government is doing it exactly backwards. We need to be punishing AT&T for the fact that Weev gained access. Not punishing the person who got in.
It's cultiavating a culture of "It's OK to have no security". And as such, criminals are stealing your identity from everywhere all over the internet because the government wants to spy on the citizens.
If we have tons of weev's going around illustrating (proving to the world) that AT&T can be hacked by teenagers, then AT&T would fix their problems.
This whole situation is so disgusting. The people who are perpetuating the problems on the internet are the ones destroying the few capable hackers who are trying to point at the REAL problem. We need the government to pay Weev a million dollars every time he steals a batch of Identity information, and send the bill to AT&T. Eventually AT&T would be bulletproof.
It makes me very sad, kind of like when you see a criminal stealing some booze shoot a mother and a baby because they were witnesses and in the way. You just cry and move on. The problem of identity theft will continue to explode because the criminal is still lose, and the only solution was incarcerated.
> It's cultiavating a culture of "It's OK to have no security"
This is how the rest of our culture works. If you leave your door unlocked and somebody robs your house, we charge that person with robbery and put them in jail. We might shake our head at your naivete, but you won't get in trouble for having lax security.
If the tech community wants this standard to change when dealing with intellectual property, we need to articulate why and get people on board, because it's certainly not the default in either our current culture or our current laws.
AT&T leaves the door open with your stuff inside. Its a little different. They should have some responsibility to protect all that personal goodness they seem oh so willing to demand of you.
If someone steals my laptop from your apartment, the person stealing is still guilty of a crime. Depending on our arrangement you may also be liable for the loss of my laptop, but that doesn't excuse the thief's action.
What if you leave a laptop sitting in the middle of the street with no identifying information on it and no password required to login. I would argue that picking that laptop up and keeping it isn't theft but rather simply FINDING it.
In this case AT&T put the laptop in a brown paper bag (in the middle of the street) and then were shocked, SHOCKED that someone would open it up to see what's inside.
EDIT: Security through obscurity is no security at all.
It is actually theft to take a laptop in a brown paper bag in the middle of the street unless there is an indiction the owner intended to abandon it. Finders are supposed to make efforts to locate the owner or otherwise turn in what was found.
When it's a laptop full of customer information left around in the street - as this analogously was, do you tell the company so they can cover it up or the news so people know to watch for fraudulent charges?
Weev joked about a lot. Stuff that would have been fitting to have happen to AT&T considering their negligent practices and disgraceful follow-up, but if we're guilty of what we joke about ...
I believe that the person doing the stealing needs to be held responsible. I also think that the entity holding the data needs to be held responsible for a lack of security. If your kid is kidnapped from a daycare because they didnt lock doors or have any security measures they can be held accountable for that as well as the kidnapper.
Somebody cannot steal things from my apartment without being in a jurisdiction that I presumably have decided is sane.
Meanwhile when AT&T forgets to lock the door to the stuff I have entrusted them with, anyone in the world can get at that. AT&T relying on the law being able to eventually get baddies after the fact is not sufficient.
To be fair, there is a difference between actually stealing your stuff, and just walking into your house to prove your security sucks.
It would be like if I just opened up a bank vault and walked inside and shouted "Hey, this bank sucks, no one put your money here!" without actually stealing anything.
That's just concern troll nonsense, or what someone who'd never heard of software would say. It's easier to download a range of IDs than to guess which ones are valid.
And "three email addresses leaked - hacker claims more could be at risk" is pathetic and you know it would be ignored. By the company, by the news, and ultimately, by users.
Also, there's a fallacy here. You admit it's reasonable to download, leak, etc, but then make it seem unreasonable because he did too much of it.
The joke of it though, is that ultimately you-all can piss and moan about your convenient morals, but what Weev should have done - by your "anything legal is A-OK" standards - is to emigrate to Russia (or elsewhere) and sell the data to a local "security firm". Then he'd have been rich, and safe, and AT&T would either be secure or out of business.
But instead he did the honest thing (and inconvenienced a wealthy corporation in doing so) and suffers greatly.
You are all making the mistake of conflating data copying with theft. The real reason this is fucking ridiculous is that he was using the internet to lookup an address and got information without any trespass, but was charged anyway.
It's nothing like stealing, it's more like being arrested for taking and distributing photos of a home taken from a public road.
Customers should be the ones punishing AT&T. The government could do a better job advertising the security failures to potential customers, rather than pursuing legal action for mediocre fines.
True but customers MUST be willing to vote with their dollars and so very few are. I have countless friends or acquaintances who constantly complain about a service/product/provider/etc and I simply tell them to switch or stop using said service. Rarely will people stop because it's simply too "inconvenient".
If you and large numbers of others don't vote with your wallet, do not expect change.
Unless I'm remembering this incorrectly, didn't he get given the data? I don't think it was him who discovered the flaw. Sort of like handling stolen goods, as they were duplicated without permission, he then tries to profit from this (iirc he admitted this). If he had followed responsible disclosure principles, he could have even created a nice media circus for all. As is, I can't understand why he should have sympathy for him. Sure AT&T messed up, if it was under UK law I would hope the Information Commissioner would fine them. He showed contempt for the law, and got a sentence that matches.
Given his previous history of not telling the truth, I'm not inclined to believe this is anything but business as usual for the US prison system. Not that business as usual isn't a bad thing.
Sure, but that doesn't excuse the thief. In a 'just' world the thief would go to jail and AT&T would suffer fines, private lawsuits. The people responsible for the lack of security would also be fired.
> If you leave your door unlocked and somebody robs your house, we charge that person with robbery and put them in jail.
Certainly! And rightly so. If they wanted to be a good neighbor, they could politely point out that you did something stupid without actually going inside your house.
> We might shake our head at your naivete, but you won't get in trouble for having lax security.
A business is a bit different though. I don't know the relevant laws, but some businesses have a duty to protect their customers' data - a moral one, if nothing else.
Your analogy is way off. We're talking about other peoples things here, not personal negligence. In Europe a company can face large fines for inadequately protecting customer data. If someone broke into your bank and emptied your account, would you "shake your head" at your bank and be done with it?
In Japan too. In large companies all employees have to learn about customer data privacy, as part of compliance training. But I wouldn't assume the company would be fined in this case. Just because somebody got unauthorized access to customer data, it doesn't necessarily mean that the company was negligent according to the law.
When a company makes a guarantee that they do not uphold.
You buy a storage bin from a company that guarantees 24x7 security and your stuff is stolen because there was no nightwatchman on duty then you have a case against the company. That doesn't give the thief a free pass or make their actions right, however partial blame does go to the storage company.
I work with systems that have to comply with HIPPA regulations. If we didn't comply, we couldn't say "Oh, we didn't know, we'll do better next time". It is our job to know, and to comply with regulations; anything else is us being negligent of our duties.
A company the size of AOL? They're negligent. This doesn't mean that what Weev did was good, or OK, or even that he should be the poster boy for reform. He also knew what he was doing, and the fact that AOL's security was poor doesn't excuse it. If anything he'll become the poster boy for "why these laws need to exist".
With real property, you can't get sued for negligence just for having lax security. You can incur liability if somebody gets onto your property and hurts themselves (the particulars of which I'm not familiar with since IANAL), and you may lose some protection for property damage/loss, but the standard for that is also very much in favor of the property owner.
>If the tech community wants this standard to change when dealing with intellectual property, we need to articulate why and get people on board, because it's certainly not the default in either our current culture or our current laws.
As others have pointed out, the difference here is that you have one party responsible for the data of another. But I'm with you on not necessarily wanting the law to punish someone for this kind of negligence.
But let's go through our alternatives here for the situation at hand. This isn't a case where some criminal aims to profit from credit card fraud, or where some irreparable injury has occurred to anyone. In those cases you have an obvious need to punish the perpetrator, and there are already separate laws against such things. In this case the primary "harm" is to the reputation of a negligent party, and their costs in responding to the consequences of their own security failure. So what are our alternatives?
In the first case we can punish AT&T for allowing the vulnerability. However, there is a real problem with doing this: A small penalty will have no effect, and a penalty large enough to motivate AT&T will also be large enough to bankrupt any startup, which would increase risks and compliance costs for small businesses and quite plausibly outweigh the benefit of deterring insecurity. On top of that, if companies are punished for vulnerabilities then they may just not report them at all, even in cases of explicitly malicious attackers, which would go so far as to prevent the third parties affected from trying to mitigate the damage.
The second alternative would be to punish the party who conducts an unauthorized but mostly harmless investigation into a vulnerability without the consent of the party who negligently created it. Naturally this may deter some proportion of the people likely to engage in such behavior from doing so. However, that deterrence is not particularly productive, because it leaves the vulnerabilities in place. Someone who harvests email addresses and publishes them to prove the vulnerability shames the negligent party into fixing it before some greater harm occurs, like a more malicious party harvesting the emails to use for a phishing scheme, which achieves the converse of the original: Instead of publishing the vulnerability and causing it to be fixed with minimal harm, you have a secret but significant and continuing harm and the vulnerability may never be exposed or fixed.
A third alternative would be to do both: Punish the party that created the vulnerability and the party that demonstrates it. But that's just the worst of both worlds. You deter those who would have the vulnerability fixed and leave it open for exploitation in secret by organized crime or foreign governments, meanwhile you still impose significant legal risk and compliance costs on the economy.
Which leaves the alternative of not punishing anyone. In that case the vulnerabilities get published and the corporations are shamed into fixing them. A corporation that repeatedly suffers security vulnerabilities has its reputation destroyed and suffers in the marketplace to the degree that its customers place a value on the security of their data, providing a market-based incentive for good security. Meanwhile "attackers" who merely experiment and publish vulnerabilities are encouraged to do more of that work, but those who engage in e.g. fraud are still punished under the specific laws against that class of behavior.
Between those four, it seems to me the last is best.
> But the problem is, the government is doing it exactly backwards. We need to be punishing AT&T for the fact that Weev gained access. Not punishing the person who got in.
I don't understand this line of reasoning. In any other context we'd be calling this "victim blaming."
The fact that you should have been more careful does not absolve the person who took advantage of that, nor is the government in the wrong for punishing the person who had malevolent intent,[1] rather than the person that was merely careless. Hell, one of the great things about living in a civilized society is that you don't have to be paranoid about your own security--that's why we created government.
The real lesson here is that the internet is now a part of everyone's "normal life," and people are going to expect it to be orderly in the same way other things in their life are orderly. Just as the wild west was tamed, the internet will be tamed, and it will be a good thing (romanticism aside).
[1] And yes, "I'm just dicking with you" is malevolent intent, as anyone who has dealt with a bully knows. Weev is at best a bully, the kind of person who dicks with you just because he can, as a way of showing his power over you. Indeed, most "black hat" hackers fit this bully archetype.
'Not punishing the person that got in' is too far, the guy did break the law. However, this is not exactly AT&T minding their own business and being taken advantage of, they should have a responsibility to act in a responsible manner with data they have collected and stored. They do deserve blame in this instance.
Describing it as victim blaming is also going to far.
As with all security problems- a mistake was made and then exploited. It's reasonable to assess the situation and ask if they did all they should. It's also reasonable to assess their failure. But they didn't just call weev up and ask him if he wanted the data. His partner took it and then Weev seized an opportunity to gain some attention.
It is not too far to call this victim blaming. This could just as easily happened to any upstart startup or fortune 1000 company.
Nothing was "exploited" since the information was made freely available to the public with no restrictions. Had there been ANY security at all then he might be charged and convicted of hacking. But he wrote a scraper for an unsecured web service. That CANNOT be a crime in a moral sense and it's a travesty that it is a crime in a legal sense.
If you didn't masquerade as an ipad, you couldn't have gotten the data. It was a shitty control, but it was a control.
If you put the situation into context- weev's behavior isn't something you'd hold up on a pedestal. It's hard to engage moral outrage for such a determined asshole. Read Chole Dykstra's recounting of her experience with this douche and ask yourself about what you're defending? http://bedizen.livejournal.com/258763.html
I just can't give two shits about this turd. You've seen the new CFAA proposals that are coming out. They're actually worse than what threw him in jail. Weev would probably find enjoyment in that outcome, as once again his actions trolled the shit out of everyone.
Yeah I'm sure he's a real jackass. I don't give a rat's ass about him as an individual. But I do care that the law is applied evenly to everyone irrespective of how much we like or don't like them. That's what makes it the rule of law, rather than a popularity contest. If the law is applied unevenly the just-ness is removed from justice, perverting it. It makes me sad that we live in a world where injustice is OK because it happened to a person we don't like.
No. The problem is trying to equate this with physical crimes.
Here's a more proper analogy. Suppose some guy likes to dance about in his house nude wearing a silly hat. He leaves his windows open during this. One day a perv takes photos of him through the window from a public street and puts the photos on the internet. The dancing man is horrified because it is quite a silly hat. Did the perv commit a crime?
In any other context we'd be calling this "victim blaming."
You might. 'In any other context' we would do no such thing. And I am quite happy to hold both parties to account for negligence and no small degree of (in AT&T's case institutional) malice.
Being careless with other people and their things is a crime. It's just a matter of managing the prosecution.
Being careless with other peoples' things is not generally a crime. It might be the basis for a civil suit, but it's not generally criminal.
Criminal law is all about intent. There are four kinds of intent (under the Model Penal Code): Purpose, Knowledge, Recklessness, Negligence. Mere negligence is rarely the basis for criminal liability (it is, however, the basis for tort law). Criminal liability starts at recklessness. Weev is punished and AT&T is not because Weev intended to improperly access data he was not supposed to access, while AT&T was merely negligent in allowing him to do so.
We treat the stupid better than the malicious, and I personally think that's a good thing.
You're right that I mischaracterized the legal status of the issue - though I think saying that this 'might be' the basis for a civil suit is seriously understating things, given the degree of incompetence demonstrated by AT&T in securing private information.
It's also possible that AT&T violated data privacy laws in certain jurisdictions, which might or might not be a criminal matter.
I'm not particularly interested in defending Weev, though I have to say that prosecuting someone for accessing data you published on the Internet with no access control does not a good reputation make.
I don't know that "the government" really needs to have any particular agenda here. All that's required is that someone like Weev, with a well-known penchant for mischief and disrespect for authority, be placed in a situation like prison, where all of the existing structures are in place to prevent mischief and preserve authority. They have a tool (solitary) used to control inmates who cannot otherwise be controlled, and they used it.
Now sure: this seems like (and is, I argue) an unjust abuse in the abstract. But the specific situation here is that the prison has an inmate they don't understand. So you have to expect the bureaucracy isn't going to handle it well.
None of that requires a conspiracy, just a staff trying to do its job under strange circumstances.
True, but unfortunate and disturbing at the same time. He would effectively be tweeting similarly if he were to send postcards every single day (or a stack each weekend): more latency, basically same information.
Like the article says,
> According to the National Institute of Justice, "administrative segregation" is a synonym for solitary, and is reserved:
> for violent or disruptive behavior. AS typically involves single-cell confinement for 23 hours daily; inmates are allowed one hour out of the cell for exercise and showers.
That disruptive sticks out. It fits Weev pretty well.
I wouldn't be surprised if he's alone to protect himself.