MESSAGE
| DATE | 2013-01-17 |
| FROM | Ruben Safir
|
| SUBJECT | Subject: [NYLXS - HANGOUT] Post Mortum legal explosion
|
the archive
----- Forwarded message from Redpill -----
Lines: 484
Return-Path:
X-Original-To: mrbrklyn-at-panix.com
Delivered-To: mrbrklyn-at-panix.com
Received: from mail2.panix.com (mail2.panix.com [166.84.1.73])
by mailbackend.panix.com (Postfix) with ESMTP id 0961F2E1C8;
Tue, 15 Jan 2013 10:21:40 -0500 (EST)
Received: from mrbrklyn.com (www2.mrbrklyn.com [96.57.23.82])
by mail2.panix.com (Postfix) with ESMTP id E29651F089;
Tue, 15 Jan 2013 10:21:37 -0500 (EST)
Received: by mrbrklyn.com (Postfix)
id D26351626C5; Tue, 15 Jan 2013 10:21:34 -0500 (EST)
Delivered-To: hangout-outgoing-at-mrbrklyn.com
Received: by mrbrklyn.com (Postfix, from userid 28)
id BD7A11626CD; Tue, 15 Jan 2013 10:21:34 -0500 (EST)
Delivered-To: hangout-at-mrbrklyn.com
Received: from vms173019pub.verizon.net (vms173019pub.verizon.net
[206.46.173.19])
by mrbrklyn.com (Postfix) with ESMTP id F0A441626C5
for ; Tue, 15 Jan 2013 10:21:33 -0500 (EST)
Received: from win7 ([unknown] [72.80.95.138]) by vms173019.mailsrvcs.net
(Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16
2009))
with ESMTPA id <0MGO008AOANN7J50-at-vms173019.mailsrvcs.net> for
hangout-at-mrbrklyn.com; Tue, 15 Jan 2013 09:21:25 -0600 (CST)
From: Redpill
To: hangout-at-mrbrklyn.com
References: <20130114171755.GA5239-at-panix.com> <50F44586.6080402-at-vnetworx.net>
<80D30CB5760A46B9A65956257CED6054-at-swdlaptop>
In-reply-to: <80D30CB5760A46B9A65956257CED6054-at-swdlaptop>
Subject: RE: [NYLXS - HANGOUT] Post Mortum legal explosion
Date: Tue, 15 Jan 2013 10:21:42 -0500
Organization: Redpill
Message-id: <005901cdf334$06379f90$12a6deb0$-at-verizon.net>
MIME-version: 1.0
Content-type: multipart/alternative;
boundary="----=_NextPart_000_005A_01CDF30A.1D619790"
X-Mailer: Microsoft Outlook 14.0
Thread-index: AQFjVb/nMtlFoyURo0QlMZVODiSjPgN0MFTKAfQpppqY9Hgm0A==
Content-language: en-us
Sender: owner-hangout-at-mrbrklyn.com
Precedence: bulk
Reply-To: hangout-at-mrbrklyn.com
This is all by design
They are trying to stretch the law with vague writing in order to
criminalize (felon-ize) website Terms of Service breaches
Extremely dangerous
His expert witness who now will never testify in open court:
unhandled.com/2013/01/12/the-truth-about-aaron-swartzs-crime/
The Truth about Aaron Swartz's "Crime"
Alex Stamos
I did not know Aaron Swartz, unless you count having copies of a
person's entire digital life on your forensics server as knowing him. I did
once meet his father, an intelligent and dedicated man who was clearly
pouring his life into defending his son. My deepest condolences go out to
him and the rest of Aaron's family during what must be the hardest time of
their lives.
If the good that men do is oft interred with their bones, so be it, but in
the meantime I feel a responsibility to correct some of the erroneous
information being posted as comments to otherwise informative discussions at
Reddit, Hacker News and Boing Boing. Apparently some people feel the need to
self-aggrandize by opining on the guilt of the recently departed, and I
wanted to take this chance to speak on behalf of a man who can no longer
defend himself. I had hoped to ask Aaron to discuss these issues on the
Defcon stage once he was acquitted, but now that he has passed it is
important that his memory not be besmirched by the ignorant and uninformed.
I have confirmed with Aaron's attorneys that I am free to discuss these
issues now that the criminal case is moot.
I was the expert witness on Aaron's side of US vs Swartz, engaged by his
attorneys last year to help prepare a defense for his April trial. Until
Keker Van Nest called iSEC Partners I had very little knowledge of Aaron's
plight, and although we have spoken at or attended many of the same events
we had never once met.
Should you doubt my neutrality, let me establish my bona fides. I have led
the investigation of dozens of computer crimes, from Latvian hackers
blackmailing a stock brokerage to Chinese government-backed attacks against
dozens of American enterprises. I have investigated small insider violations
of corporate policy to the theft of hundreds of thousands of dollars, and
have responded to break-ins at social networks, e-tailers and large banks.
While we are no stranger to pro bono work, having served as experts on EFF
vs Sony BMG and Sony vs Hotz, our reports have also been used in the
prosecution of at least a half dozen attackers. In short, I am no
long-haired-hippy-anarchist who believes that anything goes on the Internet.
I am much closer to the stereotypical capitalist-white-hat sellout that the
antisec people like to rant about (and steal mail spools from) in the weeks
before BlackHat.
I know a criminal hack when I see it, and Aaron's downloading of journal
articles from an unlocked closet is not an offense worth 35 years in jail.
The facts:
MIT operates an extraordinarily open network. Very few campus networks
offer you a routable public IP address via unauthenticated DHCP and then
lack even basic controls to prevent abuse. Very few captured portals on
wired networks allow registration by any visitor, nor can they be easily
bypassed by just assigning yourself an IP address. In fact, in my 12 years
of professional security work I have never seen a network this open.
In the spirit of the MIT ethos, the Institute runs this open,
unmonitored and unrestricted network on purpose. Their head of network
security admitted as much in an interview Aaron's attorneys and I conducted
in December. MIT is aware of the controls they could put in place to prevent
what they consider abuse, such as downloading too many PDFs from one website
or utilizing too much bandwidth, but they choose not to.
MIT also chooses not to prompt users of their wireless network with
terms of use or a definition of abusive practices.
At the time of Aaron's actions, the JSTOR website allowed an unlimited
number of downloads by anybody on MIT's 18.x Class-A network. The JSTOR
application lacked even the most basic controls to prevent what they might
consider abusive behavior, such as CAPTCHAs triggered on multiple downloads,
requiring accounts for bulk downloads, or even the ability to pop a box and
warn a repeat downloader.
Aaron did not "hack" the JSTOR website for all reasonable definitions of
"hack". Aaron wrote a handful of basic python scripts that first discovered
the URLs of journal articles and then used curl to request them. Aaron did
not use parameter tampering, break a CAPTCHA, or do anything more
complicated than call a basic command line tool that downloads a file in the
same manner as right-clicking and choosing "Save As" from your favorite
browser.
Aaron did nothing to cover his tracks or hide his activity, as evidenced
by his very verbose .bash_history, his uncleared browser history and lack of
any encryption of the laptop he used to download these files. Changing one's
MAC address (which the government inaccurately identified as equivalent to a
car's VIN number) or putting a mailinator email address into a captured
portal are not crimes. If they were, you could arrest half of the people who
have ever used airport wifi.
The government provided no evidence that these downloads caused a
negative effect on JSTOR or MIT, except due to silly overreactions such as
turning off all of MIT's JSTOR access due to downloads from a pretty easily
identified user agent.
I cannot speak as to the criminal implications of accessing an unlocked
closet on an open campus, one which was also used to store personal effects
by a homeless man. I would note that trespassing charges were dropped
against Aaron and were not part of the Federal case.
In short, Aaron Swartz was not the super hacker breathlessly described in
the Government's indictment and forensic reports, and his actions did not
pose a real danger to JSTOR, MIT or the public. He was an intelligent young
man who found a loophole that would allow him to download a lot of documents
quickly. This loophole was created intentionally by MIT and JSTOR, and was
codified contractually in the piles of paperwork turned over during
discovery.
If I had taken the stand as planned and had been asked by the prosecutor
whether Aaron's actions were "wrong", I would probably have replied that
what Aaron did would better be described as "inconsiderate". In the same way
it is inconsiderate to write a check at the supermarket while a dozen people
queue up behind you or to check out every book at the library needed for a
History 101 paper. It is inconsiderate to download lots of files on shared
wifi or to spider Wikipedia too quickly, but none of these actions should
lead to a young person being hounded for years and haunted by the
possibility of a 35 year sentence.
Professor Lessig will always write more eloquently than I can on
prosecutorial discretion and responsibility, but I certainly agree that
Aaron's death demands a great deal of soul searching by the US Attorney who
decided to massively overcharge this young man and the MIT administrators
who decided to involve Federal law enforcement.
I cannot speak as to all of the problems that contributed to Aaron's death,
but I do strongly believe that he did not deserve the treatment he received
while he was alive. It is incumbent on all of us to figure out how to create
some positive change out of this unnecessary tragedy. I'll write more on
that later. First I need to spend some time hugging my kids.
-----Original Message-----
From: owner-hangout-at-mrbrklyn.com [mailto:owner-hangout-at-mrbrklyn.com] On
Behalf Of swd
Sent: Monday, January 14, 2013 2:15 PM
To: hangout-at-mrbrklyn.com
Subject: RE: [NYLXS - HANGOUT] Post Mortum legal explosion
Welcome to the United Snakes of Amerikkka. Best wishes for a life here.
s
-----Original Message-----
From: owner-hangout-at-mrbrklyn.com [mailto:owner-hangout-at-mrbrklyn.com] On
Behalf Of Ron Guerin
Sent: Monday, January 14, 2013 12:51 PM
To: hangout-at-nylxs.com
Cc: Ruben Safir
Subject: Re: [NYLXS - HANGOUT] Post Mortum legal explosion
On 01/14/2013 12:17 PM, Ruben Safir wrote:
>
> Look at this fall out
>
> http://www.volokh.com/2013/01/14/aaron-swartz-charges/
Other experts have opined that the most Swartz /should/ have been charged
with was trespassing and a $100 fine. That of course is beside the point of
this piece, which was about whether or not the law supported the charges
Swartz was facing.
This inevitably leads again though to the question of whether or not our
legal system has gone off the rails. Prefacing this by saying I don't have
any authoritative information to work from, my understanding is Swartz wrote
a Python script that used curl to download documents from a network that had
been given full access to those documents, and that all parties operating
this network were aware of this openness. For that he was supposedly facing
35 years.
Can you imagine the charges if he'd wrecked the economy of the United
States? You can't because nobody's been charged. Priorities.
- Ron
----- End forwarded message -----
|
|
