Today Weev was sentenced to 3.5 years in prison for collecting AT&T iPad Customer Data:

A friend of mine wrote:

Weev's sentence is steep, but remember, a) he didnt disclose to att, b) he talked about making a profit & causing att stock to drop.

I read the IRC thread (link below). There is really nothing wrong about talking about AT&T's stock dropping. If you found that AT&T was polluting a river, and you called the press, you might talk about how the coverage would impact their stock price. There is nothing criminal about that at all. If some friend of yours joked about trading on the information before it was disclosed, you might tell them to keep you out of it. That seems to be exactly what happened here. It seems clear from the thread that he was seeking a legal way to benefit off of the discovery, but he seems to be trying to avoid doing something illegal and seems to be trying to avoid having his friends involve him in doing something illegal.

I would have disclosed the vulnerability to AT&T, but I'm not sure that I can fault him for failing to do that. History is full of examples of organizations that reacted to vulnerability disclosures by shooting the messenger, and refusing the fix the underlying problem. Does the fact that the disclosure was public and uncoordinated MAKE this a crime? That conclusion requires deciding that ALL vulnerability disclosure must be coordinated to be legitimate, and I'm uncomfortable with that conclusion.

I think we have to allow for the possibility that people will find vulnerabilities in public facing infrastructure like this, we have to allow for the fact that the only way to validate that a vulnerability like this exists is to actually try it, we have to allow for the fact that a disclosure of such a vulnerability might not be coordinated. Basically, I think that this ought to be legal.

If he was trying to fence the data that would be a problem. If he dumped a bunch of people's personal info publicly that would be a problem, but he clearly decided against doing so.

He found a vulnerability, he verified his finding, and he publicly disclosed the issue so that it would be fixed. I think we have to allow for that.

I think they threw someone in prison for 3.5 years for something that needs to be legal if we're going to run public infrastructure with computers the way we are.

Arguably there is a legal grey area between allowing for the fact that someone might stumble upon a rather obvious vulnerability and disclose it without taking advantage of it criminally, which is what occurred in this case, and allowing people to aggressively pen test public systems without permission. It might be difficult to have the later be illegal while allowing for the former case. This is where the discretion of prosecutors comes into play. An example like this shouldn't have been prosecuted. We don't need to put people in prison for disclosing vulnerabilities to the press.