1. 10

  2. 8

    Oh hey but querying a publicly-exposed HTTP endpoint is totally breaking and entering, which is why weev is in jail, right?

    1. 10

      First point. The rules are different for citizens and law enforcement. That’s both good and bad, but it’s the way it’s always been. We grant the state a (hopefully limited) monopoly on violence to protect ourselves from the violence of others. “If the popo can do it, I can do it” has never been a solid argument.

      Second point. I think there’s some wiggle room here where the FBI was “back hacking” people that came to their ostensibly illegal website voluntarily. AT&T did not initiate contact with weev.

      Narrow technical point: As I understand it, the FBI didn’t really take anything from or otherwise access the suspect computer. They tricked it into talking to them. Like if the FBI wants your fingerprints and has an undercover agent drop his phone in front of you, then you pick it up and hand it back. They didn’t grab your hand and print you, they didn’t make you touch the phone, etc.

      The FBI hacking into suspect’s computers (or online accounts) can certainly be problematic. I don’t think the particular facts in this case are alarming though.

      1. 9

        Some reasonable points, but again, let’s look at the quote:

        Just as the area into which the officer in Carter peered—an apartment—usually is afforded Fourth Amendment protection, a computer afforded Fourth Amendment protection in other circumstances is not protected from Government actors who take advantage of an easily broken system to peer into a user’s computer. People who traverse the Internet ordinarily understand the risk associated with doing so

        I am deeply uncomfortable with the idea that it’s okay for the government (but not the citizenry!) to do something because it would be taking advantage of “an easily broken system”. That definition doesn’t even make sense–“easy” today for a private citizen would have been “impossible” for a government of a few decades ago, and certain types of attacks are “easy” only if you’re a state actor. Such naked appeals to might-makes-right should give us all cause for concern.

        The reason I bring up weev (shitbag though he is) is that he did a completely technically reasonable thing in querying a public API–not even the “easily broken” bar that the FBI seems to now hold itself to. If the justice system at once both condemns standard uses of technology for accessing Internet resources and then hides behind “normal internet users understand the risks” when it suits them, it again is shady as fuck.

        1. 3

          Yeah, “ease” and “risk” are loosely defined. That part of the opinion may be questionable. (Personally, if I’m surfing a hidden site for kiddie porn, my danger meter is at 11.)

      2. 3

        I just want to note be weev was released in 2014. Point still stands.

      3. 7

        From the judge:

        People who traverse the Internet ordinarily understand the risk associated with doing so.

        There is no way that judge actually believes that statement to be true. “People who traverse the Internet” have no clue what security risks and protections exist. I really hope the decision will be revised at appeal because of sentences like that one which set a dangerous precedent.

        1. 6

          Everything you send over the Internet is like a postcard that anybody can read used to be pretty common lay advice. The judge probably heard it too.

          If people incorrectly believe Internet traffic is secret, we should educate them, not indulge their fantasy.

          1. 6

            We should indulge that fantasy by making it true.

            1. 2

              I don’t disagree, but the 4th Amendment is a poor means of accomplishing that. There are entities not bound by the 4th Amendment that one should also be concerned with.

          2. 2

            Similarly, because the people who live in homes ordinarily understand the risk of burglars associated with doing so, search warrants for homes are no longer required.

            Also, because the people who walk down the street ordinarily understand the risk of mugging associated with doing so, probable cause is no longer required for searches and arrests.

            1. 2

              I think you have the causality reversed. I lock my door precisely because I understand the risk of burglars. When I walk down the street, anybody can see whether I’m wearing a green shirt or a red shirt. But they can’t read the numbers off the credit card in my wallet.

              1. 2

                I imagine people who use Tor are doing so because they think they’re mitigating the risk associated with traversing the Internet without it. Conversely, most people use “easily broken” locks on their doors. So the reasoning–or more precisely the judge’s choice of imperfect analogies for internet behavior–is still disturbing.

                1. 2

                  One would think that a user sophisticated enough to use tor would know more, not less, about how the internet works. If the user is misinformed about how tor works, isn’t that the fault of the tor team, not the FBI? There’s some analogy here to a bank robber who “mitigates risk” by wearing a fake mustache.

                2. 2

                  I was following the logic of this judge and the wording of this article for darkly humorous effect.

                  1. 2

                    That’s fair, but I think there’s a distinction to be made between “expected to happen” and “could happen” and “want to happen”.

                    I do not expect to find strangers in my house although it is possible. As for my internet traffic, while I may not want people to sniff it, I don’t expect it to remain secret.

                  2. 2

                    But they can’t read the numbers off the credit card in my wallet.

                    Minor point of order: they can still sniff the RFID on your passport and other cards. :)