Friday, September 20, 2013

How Weev's prosecutors are making up the rules

Many of us believe that the conviction of Andrew "weev" Auernheimer proves that the system is corrupt, that the law can be arbitrarily applied to prosecute anybody. The rules are whatever the prosecutors say the rules are. There are one set of rules for the powerful, and another set for anybody who would challenge the powerful.

Today, prosecutors prove our theory correct. They submitted a 26,495 word brief in the appeal that does not conform to the Third Circuit's 14,000 word limit -- a limit that the defense struggled to fit within. In that brief, prosecutors arbitrarily redefined the Internet to prove that Weev (and friends) broke the rules. They liberally reinterpreted the rules of the Internet (the "protocols") to find Weev in violation -- while flaunting the rules of the court themselves.

User-agent rules


On page 23, the prosecutors describe the "hack", pointing out how Weev and friends...
changed the user agent in his Account Slurper program in order to trick the servers into thinking that he was using an iPad
That's not the rules of HTTP. The "user-agent" field is not intended to be a means of identification. Very clearly, the rules state:
This is for statistical purposes, the tracing of protocol violations [mistakes], and automated recognition of user agents for the sake of tailoring responses to avoid particular user agent limitations. .... The field can contain multiple product tokens...
Since nearly the beginning of the Internet, all major browsers (such as today's Chrome, Firefox, Internet Explorer, Safari) claim to be "Mozilla", the codename of the original Netscape browser from almost 20 years ago. This was originally done because servers would send different versions of webpages to Netscape and Internet Explorer. Back around Internet Explorer version 3, when Microsoft upgraded their browser with features compatible with Netscape, they added "Mozilla" to their User-Agent to trick web servers into giving Microsoft the (better) Netscape pages. That it's okay for Microsoft to do this, or for Google to do this, but not okay for Weev, is an arbitrary and prejudicial distinction made by the prosecutors, redefining Internet protocols.

URL rules


The same is true for the URL. You are probably reading this webpage using a web-browser. At the top is the URL for this page, which you can manually edit by hand. The reason you can edit this is because that is the hope and intention of the designers of web browsers. It means you can debug and fix URLs that don't quite work. It enables an additional way to browse a website by trying out new combinations in the URL. If a URL has "articleID=12" on the end, the intention is that you can edit this to retrieve "articleID=13". That's how Weev and friends were able to access the information AT&T had made public.

But while they can edit the URL, most people don't. For that reason, prosecutors insists that it's illegal. On page 32, they describe a hypothetical "judicial law clerk" who is a "reasonably sophisticated computer user". They point out that this clerk would search in vain for hyperlinks, and thus, not be able to access the information since such hyperlinks don't exist.

This is a clever trick of the prosecutors. It exploits the fact that the way the judge is going to handle this case is to give the brief to the young clerk who spends a lot of time on Facebook, where "heavy Facebook use" is the proxy for "reasonably sophisticated computer user".

But that's like saying that because you drive to/from work every day that you are a sophisticated driver, capable of going out on the race track. Or, it's like saying that because you eat a lot that you are a sophisticated cook. Just because somebody is an expert with Facebook doesn't mean they have any clue as to how computer works -- indeed, the entire point of the iPad is to appeal to the unsophisticated users. According to the government's reasoning, this two year old using the iPad is a "reasonably sophisticated computer user".

This is why I say that Weev was convicted of "witchcraft" rather than "hacking". The judges, juries, prosecutors, and law clerks don't edit URLs, user-agents, or write scripts. They don't understand it. By the Arthur C. Clarke rule, it's equivalent to magic. When you challenge the powerful, you are guilty purely because you did something the average unsophisticated user isn't capable of.

Legitimacy rules


The start of the brief goes to great lengths to describe how Andrew's company, Goatse Security...
is not, to put it mildly, a traditional security research company.
By this, of course, they mean it was just a couple of guys having fun rather than a large industrial firm with thousands of employees. But the reality is that over the history of vulnerability research, the vast majority of disclosures have been by "non-traditional" security researchers. Certainly, Goatse Security was very strange as a whole, but the core concept of discovering a security and reporting it is as traditional as traditional gets.

That's why so many of us rally to Weev's cause: we are disgusted and repelled by the "Goatse" side of things, but we are no different in terms of security research. We are frightened by how the prosecutors arbitrarily define who, and who isn't, a legitimate security researcher.

Who sets the rules


On page 64 of the prosecutor's brief is this outrageous paragraph:
Major technology companies today – Microsoft, Google, Facebook, PayPal, and Mozilla, to name a few – all pay bounties to white hat hackers who find flaws in their systems and thereby help keep them secure. The Government is not aware of any instance in which a security researcher who followed the rules of ethical hacking was prosecuted for violating the CFAA. Often, when a white hat hacker discovers and reports a security flaw, he is rewarded financially for his work by the company that he has hacked. But no one, not even a white hat hacker, gets to make his own rules.
It starts with an outright lie. It is not true that "major tech companies all pay bounties". Only a tiny few do -- indeed, only the ones listed. The rest don't. IBM doesn't. HP doesn't. Samsung does't. Dell doesn't. Amazon.com doesn't. Intel doesn't. Ebay doesn't.

And Apple doesn't. I point this out because this last week I've gotten a lot of PR for my website http://IsTouchIdHackedYet.com, where I am offering a bounty on Apple's new touch sensor precisely because Apple doesn't offer bounties. On this site, I am making my own rules. By all the prosecutor's reasoning, this is not "traditional" research. It is illegitimate, and therefore, I belong in jail.

I always make up my own rules. A week ago, I scanned the entire Internet. What are the rules of this? Well, the Internet is defined as an "end-to-end" network, so by that definition, it's allowed. But as we've seen, prosecutors don't care about how the Internet defines itself -- they just make up new definitions of the Internet. Scanning the Internet is actually a common thing for white-hats to do, but since many are afraid of arbitrary prosecution, they hide their activities. I'm transparent and open about it -- which means I'm potentially in violation of what prosecutors deem "traditional" security research.

This is again why the entire research community is afraid of the Weev ruling. We white-hats don't get to set the rules as to what constitutes legitimate, traditional white-hat research. It's the prosecutors who set these rules. Moreover, they are purely arbitrary: we won't know what they are until we've angered some powerful entity, and the police come to arrest us.

It is also important to point that AT&T offers no bounties. The prosecutors are making the bizarre argument that since AT&T didn't follow the "rules" by offering a bounty, that Weev belongs in jail. In other words, unless a company provides bounties, it's unethical to point out their flaws.

I love the middle sentence of the above paragraph, so I'm going to repeat it:
The Government is not aware of any instance in which a security researcher who followed the rules of ethical hacking was prosecuted for violating the CFAA.
This is circular logic, saying that people who follow the rules don't break the rules. When the prosecutors make the arbitrary decision that you've violated the CFAA, they'll likewise decide that you don't follow the rules of ethical hacking. Such circular logic is the basis for the prosecutor's entire argument: Weev is a bad guy because he's a bad guy.

Conclusion


What made the Internet is that creative thinkers broke the traditional rules. The Internet is an "end-to-end" and "packet-switched" network that is in complete violation of the rules of traditional telecommunications up until 1990. Google makes a copy of everyone's website whether they allow it or not. Facebook provides an enormously expensive service for free -- without it's customers realizing they pay in privacy. These giants all broke the traditional rules to create great things. That the powerful can break these rules, but unsympathetic characters like Weev cannot, is a threat to all of us. It's a threat to us personally when we anger the powerful. It's a threat to everyone else when the chilling effect stops innovation.

And finally, it's a threat to everyone because when products/services have vulnerabilities, no-one will be brave enough to point them out.







6 comments:

TQ Hirsch said...

The most amusing thing about the whole "bounty" issue was that , in the the incident they cited in footnote 16 (p.51), the researcher didn't get any bounty. He was ignored until he violated the "rules of ethical hacking."

yetihehe said...

> The rules are whatever the prosecutors say the rules are.
> I always make up my own rules.

>Google makes a copy of everyone's website whether they allow it or not.
Strange, robots.txt on my page still seems to be working...

.. Just two inaccuracies I've found in your post.

Sebastiaan Moeys said...

@ yetihehe: that hardly touches any of the points he's making.

yetihehe said...

@Sebastiaan You're right, It's just a little funny that he accuses someone of making up rules and omitting/misrepresenting some information, then makes those mistakes himself. I didn't say anything about his points, which I believe are right.

Unknown said...

@yetihehe The blogger is actually saying that the prosecutor is making up what constitutes "rules" and what breaks them. In contrast there is no set of rules pointed to and each company gets to define what breaks the rules. As an affirmation to this point he points out that he defines his own rules on his other website http://istouchidhackedyet.com/ where he is giving bounties to people based on his own rules.

lucia said...

Thanks for linking the prosecutor filing. I'll now drop the link at brandon's blog. :)