So I watched “The Internet’s Own Boy” earlier this week. If you aren’t familiar with this movie or Aaron Swartz and don’t have a few moments to do some google fu, here is a very brief summary:

The film tells the story of Aaron Swartz, focusing on his numerous accomplishments including RSS, Creative Commons, and Reddit, as well as his activism, battling for Open Access and against SOPA/PIPA, and the legal trouble he encountered as a result.

The film itself was very well done and very informative. Honestly, despite his impressive list of contributions, I wasn’t very familiar with Swartz, and I was completely unaware of his arrest and indictment until after he passed. I remember hearing about his passing, and as a result the incident with JSTOR, and being saddened and angered by the way that all went down. Watching the film yesterday I walked away with the same feelings. It’s so unfortunate that a young person with such a future, would be pushed to the point of suicide over something that is so… unnecessary.

I dont want to spoil too much of the movie for anyone who intends to watch it, but there are a few things that I wanted to bring up:

The Crime

Swartz authored a Python script which automated the downloading of academic journals from JSTOR using the free access provided by M.I.T. for students and staff. He left a laptop running this script in a network closet unattended in order to download these documents en masse. These documents were not released for free or pay by Swartz, and there is no definitive evidence of his plans for them. Swartz was a proponent for Open Access to information and was the author of the Guerilla Open Access Manifesto written sometime in 2008. For the prosecution, this was all that was necessary to show his intent. Regardless of one’s thoughts on what Swartz intended to do with the information he obtained, this is not Minority Report and we cannot be arrested for a crime that we have not committed. As far as I can tell from the (small) amount of reading on the topic I have done, Swartz was not authorized to use M.I.T’s network, or it’s JSTOR access. In that regard he likely was guilty of something, of what or how severe I do not know.

The Punishment

After it was all said and done Swartz was brought up on 13 felony charges, which carried a maximum sentence of 50 years in prison and 1 million dollars in fines. That is just absolutely outrageous to me. It is blatant that the U.S. justice system wanted to make an example out of him to prevent anyone with the same ideals from trying something similar. As they say in the film, Aaron Swartz wasn’t a hacker (at least not in the commonly accepted vernacular), but someone that looked kind of like a hacker. Enough that it would be easy to make a case against him. Even if he were guilty of everything they claimed he was, the punishment that he faced was so far over the top it’s almost laughable.

As many folks in Infosec will tell you, its hard to see something wrong and let it go. It’s why we do what we do. I know that what Swartz did is not the same, potentially motivated by social equality, whereas we are motivated by the desire to help people and organizations remain secure. What is the same is the desire to help, and the lack of permission. When I look at what happened to Aaron Swartz and to a lesser extent, the situation with weev, as a security professional, I am scared.

Don’t we, as humans, have a moral responsibility to call out things that are wrong? Shouldn’t that be encouraged?

The CFAA

The Computer Fraud and Abuse Act (CFAA) was introduced in 1986, and was originally intended to deter hacking of “protected” (government and financial) computer systems. Besides Swartz and weev other notable persons that have been prosecuted under the CFAA include Chelsea Manning, and George Hotz. There is strong criticism of the CFAA, mainly regarding its loose definitions and the fact that it is largely used to slam hackers with harsh penalties. For instance, in the case of weev, he or whoever ran the script, simply needed to provide an iPad user agent in the request. For those that aren’t familiar with user agents, it is something that says to a web server “hey, I’m Internet Explorer” or “hey, I’m Google Chrome” in this case it was “hey, I’m an iPad”. There were some other things that occurred during that incident, like what happened with the data and who was notified when, that are absolutely questionable, but the technical “hack” portion? Not worth the 41 months and $70,000+ fine that he got (although his conviction was eventually vacated). This quote from this article just about sums it up for me:

“The Computer Fraud and Abuse Act is the most outrageous criminal law you’ve never heard of,” Columbia Law School professor Tim Wu wrote in the New Yorker this week. “It bans ‘unauthorized access’ of computers, but no one really knows what those words mean … Over the years, the punishments for breaking the law have grown increasingly severe — it can now put people in prison for decades for actions that cause no real economic or physical harm. It is, in short, a nightmare for a country that calls itself free.”

In any event if you made it this far, thanks for reading. If you are interested in seeing The Internet’s Own Boy, it is available for streaming or download under the Creative Commons License here. As I said earlier it’s a great, if a little bit depressing, film that I would highly recommend.

If you want to learn more about Aaron Swartz, his Wikipedia page is located here.

For my first post I decided to recycle a short blog I wrote previously about the short lived iOS/OSX unicode DoS bug originally reported here. The bug was pretty interesting and unfortunately it was patched rather quickly. The content of this post has been edited from the original to fix some grammar odd sounding sentences.

In case you haven’t heard, recently there was a bug disclosed for iOS/OSX which leverages a particular unicode string to crash the app that attempts to display it. I’m not going to bother with a full write-up here mostly because it has been covered pretty well. Read on →

After several failed previous blog attempts, I honestly intend to keep this fairly updated. Check back from time to time.