Since they actually went past the SQL injection and then created a fake record for an employee, I'm shocked that Homeland did not come after and arrest those involved. Homeland would have been top of the list to misinterpret a disclosure and prefer to refer to the disclosure as malicious hacking instead of responsible disclosure. I'm more impressed by this than the incompetence of the actual issue.
You're not wrong, but I would have a hard time as a jury member convicting them of a CFAA violation or whatever for creating a user named "Test TestOnly" with a bright pink image instead of a photo.
If they had added themselves as known crewmembers and used that to actually bypass airport screening, then yeah, they'd be in jail.
That's what jury instructions are for. The judge can instruct the jury to ignore pretty much any facts and consider any subset of what really happened that they want. So they'd just instruct "did they access the system? Were they authorized? If the answer to the first question is yes, and to the second is no, the verdict is guilty, ignore all the rest". The jury won't be from the HN crowd, it would be random people who don't know anything about CFAA or computer systems, it will be the easiest thing in the world to convict. Those guys got so lucky DHS exhibited unusually sensible behavior, they could have ruined their lives.
I once got called into jury duty and sat through jury selection. On that day, protesters were outside the courthouse calling awareness to jury nullification, so the judge brought it up. He said something like: "jury nullification is a constitutional right, but you waive those rights when you take the oath of a juror. It is not an option to you." I really wanted to say "but that constitutional right is not my right, it's the defendant's right. How can I waive the defendant's constitutional right to a trial where jury nullification is a possible outcome?" However, it was a rape trial, where nullification would be an awful outcome (basically saying: yeah, he raped her, but that shouldn't be illegal in this case ... yuck), so I kept my mouth shut. But it still bothers me that the judge was so glib about "waiving" the constitutional rights of the defendant.
> But it still bothers me that the judge was so glib about "waiving" the constitutional rights of the defendant.
Around here, people are clamoring for a judge to be recalled because she is on top of rights for defendants. A recent one I watched on Zoom was a prosecution motion to revoke bail:
Prosecutor: "Because blah blah blah, and in addition the defendant shows no signs of taking responsibility for his actions, we..."
Judge, cutting her off: "I'm going to stop you there. The defendant entered a plea of not guilty, and as of this moment has not been found guilty at trial. In the eyes of the court, he has precisely zero obligation to take responsibility for alleged actions at this point in time."
People want that judge to be recalled? So not only are people opposed to trial by jury, they also want the judge to be biased towards the prosecution? Why? Just the usual "tough on crime" dogwhistles?
Mostly so. They're the same ones who comment on posts about fires at homeless encampments as "Good" or "Too bad it didn't wipe the place out" and sycophantic "Thank you Sheriff" when the department posts about an arrest.
Which countries make Jury Nullification a constitutional right for defendants? I looked at the wikipedia article (US section), and it only refers to it as power possessed by a jury.
If a defendant has the constitutional right to trial by a jury, and that jury has autonomy to make an independent decision, then jury nullification is a possible outcome.
If jury nullification is not a possible outcome, then either the defendant doesn't have a right to trial by jury, or that jury is not allowed to make an independent decision.
Defendants don't have a direct constitutional right to jury nullification (the Constitution doesn't say anything about nullification). It's just a logical consequence: if the jury really can make independent decisions, then nullification is necessarily one of those possible decisions.
I don't know your case, but the term "rape" has been legally expanded a lot from what we might imagine when we hear the word "rape" (forceful sexual act).
Legally it can mean a case where a man met a women in a bar, she was not drunk and wanted to go home with him. She explicitly consented. Later it ends up that she was using a fake ID to get into the bar, she was only 17.9 years old in a state where the age of consent is 18. Or alternatively, the guy recently moved a block over. In his old location the age of consent was less than 18, but now he moved and he committed rape (aka, the opinion that got Richard Stallman to step down).
YMMV but I don't think in my state either of those things would be tried as just "rape".
If there's no force/threats/drugs etc involved and the minor consents, it's charged as statutory rape which is different than capital-R rape.
Statutory rape can be a felony, but in cases like an 18 year old and a 17.5 year old having sex it's a misdemeanor and realistically 99.999% of the time it happens there are no charges
I had a very similar situation when I was called. The trial subject was systematic elder abuse and neglect by a person in a position of power at a hospital. I was very glad to not be chosen. I would not have nullified and I did not want to spend weeks hearing about how this woman basically tortured helpless people.
I told a prosecutor during voir dire that I wouldn’t follow a judge’s instruction if it was a case involving drugs (I think it was a shoplifting case, so not relevant to the particular case). That was enough to be excused by the prosecutor.
Everyone says this but when people say "critical thinking skills" it really means "is obvious they will willfully disobey the instructions given to them by the judge and hold their own moral/ethical code above the law."
You're literally describing jury nullification in a situation where by the hypothetical judge's instructions they're obviously guilty. I might agree with you that the law is bullshit but by right you and I should be dismissed.
> hold their own moral/ethical code above the law ... I might agree with you that the law is bullshit
This is the entire reason that we have trial by jury and not trial by judge. I'm not sure how this got lost over the centuries. If 12 of your peers think you did it but the law is bullshit and you shouldn't have your life destroyed because of some stupid technicality in a bullshit law, then you should walk free! I'm aware this has been used to horrible ends in the past (e.g. 12 white jurors nullifying a lynching) but that's a problem with jury selection (and those so-called peers), not with nullification.
> You're literally describing jury nullification in a situation where by the hypothetical judge's instructions they're obviously guilty
Yes, that is the only time nullification is relevant. If a judge can lead the jury to one verdict or another via his instructions, then it's not a trial by jury at all. It's a trial by judge. The founders understood that -- they didn't want a trial by judge. The jury is a check on the judge's power!
Jury is peer, not subordinate of judge, and they should keep each other in check. Some tyrannical judges don't understand this. Sometimes the judge has to be reminded he is wrong in a way he can't prove he's been reminded, however.
> That's what jury instructions are for. The judge can instruct the jury to ignore pretty much any facts and consider any subset of what really happened that they want. So they'd just instruct "did they access the system? Were they authorized? If the answer to the first question is yes, and to the second is no, the verdict is guilty, ignore all the rest".
The only real protection is the fact that you can vote whatever way you want and not even a judge can compel you to state your reasoning.
In part yes but inevitably devolves into an ad hominem attack against the most high profile case of a guy who did it, who is now hiding in Ukraine on a Prednistrovian passport after having his conviction overturned (temporarily) giving him an escape window.
Weev hasn’t been in Ukraine in a good few years. He was last confirmed spotted in Transnistria before the 2022 invasion and apparently hasn’t moved on since.
His stay in Ukraine was rather brief, he was… not well liked there.
How do you have a conviction temporarily overturned? I thought the US had rules about double jeopardy. Unless you're referring to some other charges he hasn't been tried for.
Overturning a conviction is usually permanent, however, that does not necessarily mean the verdict becomes Not Guilty, and only when the verdict is Not Guilty does double jeopardy come into play. It is possible for a higher court to overturn a lower courts decision, have it returned for reconsideration, or even a whole retrial. In other cases a higher court will overturn a verdict and instruct the lower court the change the verdict to Not Guilty.
They ruled it was tried in the wrong jurisdiction thus basically never happened. There is likely a sealed indictment awaiting in another jurisdiction where they will try again, now knowing the trial strategy of the defense.
It's an excellent choice IMO from his perspective. They grant citizenship after 1 year with not a lot of questions and have a cash economy. And they don't extradite to the US.
They'll also not above confiscating your cash and killing you if its suits them. Or (before the war) they wouldn't think twice to send you to Russia to be used as a bargaining chip.
Weev is effectively banned from the banking system. The list of places with enough infrastructure to survive as a hacker, without foreign citizenship and in a cash/crypto economy with no extradition treaty is thin. I'm sure Transnistria might do that but apparently it wasn't worth their time to kill him. Seems better than North Korea, Iran, or the bush of Africa.
It's an incredibly basic form of pen testing. For example, this reply page URL refers to id=41393364, which is presumably your comment. So what happens if I replace it with a different number? Probably something innocent, but maybe not.
Yeah I wouldn't have convicted weev either. There is a difference though. He used that incremented number to access actual user PII. These guys created a user with no PII and no actual malicious use.
> You're not wrong, but I would have a hard time as a jury member convicting them of a CFAA violation or whatever for creating a user named "Test TestOnly" with a bright pink image instead of a photo.
If they had added themselves as known crewmembers and used that to actually bypass airport screening, then yeah, they'd be in jail.
I think it could go any which way. The prosecution could argue that the defendant may have tampered with existing records or deleted some. In this particular case, it’s probable that the system does not have any or adequate audit trails to prove what exactly transpired. Or the claim could be that the defendant exfiltrated sensitive data (or that the defendant is trying to hide it) to share with hostile entities.
If the system has no audit logs, the prosecutor would have no evidence of any of that.
And in a system this broken the defence could even argue that anyone could have done it and modified the logs to implicate the defendant. You can't use any data from this system as evidence.
Best case, assuming you even get charged, your case gets picked up by the EFF, ACLU, IFJ, etc. You spend nothing, you win, and you get a lot of free publicity for your pen testing company.
Worst case, nobody comes to help you, you spend all of your money, still lose the case, end up in a shitty US prison, and get stabbed in the shower by some guy driven crazy by spending months in solitary.
Personally, I would not mess with security research on anything even distantly related to US Gov.
If anyone from there reads the parent, they should know they have created an atmosphere where the worry of possible prosecution over responsible disclosure has the potential to scare away the best minds in our country from picking at these systems.
That just means the best minds from other, potentially less friendly countries, will do the picking. I doubt they will responsibly disclose.
I personally don't comprehend how these people are taking such a huge risks. Once bureaucrat wakes one morning in the wrong mood and your life is ruined at least for the next decade, maybe forever. Why would anyone do it - just for the thrill of it? I don't think they even got paid for it?
I’m not sure any country’s bureaucracy really appreciates responsible disclosures that make the government’s systems look very poorly designed. There is always the risk of being classified as an enemy agent/criminal depending on who’s reading the report and their own biases.
They've had that relationship for a few years now, so I'm guessing they're somewhat versed. TSA specifically might be less so, but I can't imagine the DHS referring anything to the DOJ for prosecution given that they both have a VDP for the entire department and advise other departments on how to run VDPs (via CISA).
In some countries where this is the norm, like Germany, the usual route is to report the issue to journalists or to non-profits like the CCC and those then report the issue to the government agency/company. This way you won't get prosecuted for responsible disclosure. Alternatively an even safer route is to write a report and send it to them anonymously with a hard deadline on public/full disclosure, won't get any credit for the discovery this way of course.
Depends. If no one currently cares, there is no significant structure or personnel or political change in the future several years, and they don't have any assets worth taking, and the government doesn't get any more desperate for assets to seize -- then they're out of the woods.
I doubt asset seizure is what they'd be after. I was thinking more of the "make an example out of them" mentality as an attempt to prevent others from being curious. Government entities don't tend to do well with knowing the difference of malicious hacking and responsible disclosure. The infamous governor and the View Source is a fun one to trot out as exhibit A.
Asset seizure is not because the government needs the money. It's because you need the money to pay for lawyers, legal experts, etc., and if your assets are seized, you can't - so you are much easier to pressure into making a quick guilty plea and get another successful prosecution added to the list. Of course, the whole process is the punishment as usual, but the asset seizure also plays an important coercive role there.
don't even need to make an example... they probably have a warning/welcome pop up that says 'unauthorized access to this system will result in...'
because the TSA lawyer is going to follow this simple train of thought - were the 'accused' authorized to access the system - gotcha!
The timeline mentions the disclosure was made through CISA, and on their website there is an official incident report form.
I can imagine an email to some generic email address could have gone down the way you describe, but I guess they look at these reports more professionally.
Good catch. Of course, different people wear different shades of hat, and I guess the author might have good rationale for going quite as far as they did, I don't know.
Kudos to the author for alerting DHS. Methodology questions aside, it sounds like the author did a service, by alerting of a technical vulnerability that would be plausible for a bad actor to seek out and successfully discover.
But regardless, I hope any new/aspiring security researchers don't read this writeup, and assume that they could do something analogous in an investigation, without possibly getting into trouble they'd sorely regret. Some of the lines are fuzzy and complicated.
BTW, if it turns out that the author made a legality/responsibility mistake in any of the details of how they investigated, then maybe the best outcome would be to coordinate publishing a genuine mea culpa and post mortem on that. It could explain what the mistake was, why it was a mistake, and what in hindsight they would've done differently. Help others know where the righteous path is, amidst all the fuzziness, and don't make contacting the proper authorities look like a mistake.
