Read and Inciteful Comment on Story
I was sympathetic to the individual (Why Must ALL MUGSHOTS look like you're some Terrorist or Drug Addict?), until someone brought up a good point.
When he discovered the exploit, instead of reporting the problem, he continued exploiting the hole. He managed to collect 114,000 Emails. It's irrelevant if he USED THEM nefariously or not. That's only going to factor into his sentencing. What the man did was illegal (Sorry Buddy You aren't ATT with the Patriot Act on Your side Only our Government and their cronies can wrongfully collect information.). Thus, by the double standards we live by here, he's guilty. Five Years guilty? I'd hope not, but guilty as he didn't report the problem.
He'd been better off letting them know immediately, keeping his trap shut and selling the information anonymously, or handing it over to wikileaks. Instead, he commits a crime and has a change of heart that then lands him in hot water after he confesses to the world.
Illegal to possess email addresses? To possibly "embarrass" a company? I don't think what he did qualifies as "hacking".
It's not illegal to possess the emails. It's the act in which he acquired the emails that constitutes breaking the law. Instead of reporting the problem, the man continued to exploit the issue.
Here's an example. Let's use Pinto. The makers knew the car had a fault that may cause an explosion. Instead of rectifying the problem, the company continued to ignore the issue and plead ignorance. Like the man above, both used the ignorance plea to their advantage.
It's not as if he couldn't have picked up the phone to call ATT and notify them. Heck, he could have even gone to the Media and made $$$ off it and still been in the clear. Instead, he continued to use the script to extract 114,000 emails and tell his buddies.
Difference is that in your example Pinto is the one acting negligently. Punishing a independent mechanic for not reporting the problem would be ridiculous, even if they told a "confidential informant" that they are looking forward to people dying.
|reply to Wilsdom |
He didn't *hack* anything
I agree -- he simply figured out that he could enter numbers and get the user that corresponded to it. At no time did he access any portion of the website not normally available to the public. He didn't use SQL injection or probe the site for existing vulnerabilities. He simply put some numbers into a box and hit SUBMIT! What mad l33t skillz!
The law about "unauthorized access" is too vague. The worst he did was violate their TOS and embarrass them for having made such a stupidly poor site. Oh, and don't forget he went to IRC to brag about it -- that's the double death!
John M - Cranky network guy
|reply to Wilsdom |
Re: Read and Inciteful Comment on Story
Actually, you're wrong. If a Mechanic is aware that a certain part is faulty and continues to use the item, he or she may be liable. Let's give the example of tires. Say the Mechanic has repeated complaints about a tire blowing out and ignores the customer.
Said Mechanic fails to notify company of complaints, and a customer dies. If the family finds out the Mechanic didn't take due diligence and let the manufacturer know the part he received were faulty, then he MAY be liable, too.
Ignorance is not an excuse to ignore one's duties.
|reply to MooJohn |
Re: He didn't *hack* anything
I'm not denying there's a gray area here, but the actions following his exploit were what made them criminal. Instead of going to ATT, he bragged to friends and seemed intent on possibly harming ATT. None the less, he might win on appeal due to the vagueness of the law.
None the less, his actions were borderline criminal if not criminal. It doesn't matter if he used SQL ijection or script kiddy code. The end result was the same. Att had a flaw, with said individual exploiting the flaw.
Your argument is like a person leaving a possession on their front porch and then justifying the stealing of the item. Even if I leave money sitting out in plain site, it's still theft if you take it off my property. It doesn't matter if you are a career criminal or opportunistic. You've committed the same act of theft.
He didn't *steal* anything either
No one was deprived of anything. He obtained a list of owners' email addresses -- oh the humanity!
If he tried to extort them or cause financial harm, charge him with that. To say his access was criminal simply because he typed things into the box that they didn't expect and it spit out information is ludicrous.
John M - Cranky network guy
You literacy skills need a bit of fine tuning. HE DID talk about exploiting the email addresses. That's where the FBI came in.