Tuesday, January 15, 2013

The Truth about Aaron Swartz's "Crime"

The Truth about Aaron Swartz’s “Crime”


I did not know Aaron Swartz, unless you count having copies of a person’s entire digital life on your forensics server as knowing him. I did once meet his father, an intelligent and dedicated man who was clearly pouring his life into defending his son. My deepest condolences go out to him and the rest of Aaron’s family during what must be the hardest time of their lives.
If the good that men do is oft interred with their bones, so be it, but in the meantime I feel a responsibility to correct some of the erroneous information being posted as comments to otherwise informative discussions at Reddit, Hacker News and Boing Boing. Apparently some people feel the need to self-aggrandize by opining on the guilt of the recently departed, and I wanted to take this chance to speak on behalf of a man who can no longer defend himself. I had hoped to ask Aaron to discuss these issues on the Defcon stage once he was acquitted, but now that he has passed it is important that his memory not be besmirched by the ignorant and uninformed. I have confirmed with Aaron’s attorneys that I am free to discuss these issues now that the criminal case is moot.
I was the expert witness on Aaron’s side of US vs Swartz, engaged by his attorneys last year to help prepare a defense for his April trial. Until Keker Van Nest called iSEC Partners I had very little knowledge of Aaron’s plight, and although we have spoken at or attended many of the same events we had never once met.

Should you doubt my neutrality, let me establish my bona fides. I have led the investigation of dozens of computer crimes, from Latvian hackers blackmailing a stock brokerage to Chinese government-backed attacks against dozens of American enterprises. I have investigated small insider violations of corporate policy to the theft of hundreds of thousands of dollars, and have responded to break-ins at social networks, e-tailers and large banks. While we are no stranger to pro bono work, having served as experts on EFF vs Sony BMG and Sony vs Hotz, our reports have also been used in the prosecution of at least a half dozen attackers.  In short, I am no long-haired-hippy-anarchist who believes that anything goes on the Internet. I am much closer to the stereotypical capitalist-white-hat sellout that the antisec people like to rant about (and steal mail spools from) in the weeks before BlackHat.
I know a criminal hack when I see it, and Aaron’s downloading of journal articles from an unlocked closet is not an offense worth 35 years in jail.
The facts:
  • MIT operates an extraordinarily open network. Very few campus networks offer you a routable public IP address via unauthenticated DHCP and then lack even basic controls to prevent abuse. Very few captured portals on wired networks allow registration by any visitor, nor can they be easily bypassed by just assigning yourself an IP address. In fact, in my 12 years of professional security work I have never seen a network this open.
  • In the spirit of the MIT ethos, the Institute runs this open, unmonitored and unrestricted network on purpose. Their head of network security admitted as much in an interview Aaron’s attorneys and I conducted in December. MIT is aware of the controls they could put in place to prevent what they consider abuse, such as downloading too many PDFs from one website or utilizing too much bandwidth, but they choose not to.  
  • MIT also chooses not to prompt users of their wireless network with terms of use or a definition of abusive practices.
  • At the time of Aaron’s actions, the JSTOR website allowed an unlimited number of downloads by anybody on MIT’s 18.x Class-A network. The JSTOR application lacked even the most basic controls to prevent what they might consider abusive behavior, such as CAPTCHAs triggered on multiple downloads, requiring accounts for bulk downloads, or even the ability to pop a box and warn a repeat downloader.
  • Aaron did not “hack” the JSTOR website for all reasonable definitions of “hack”. Aaron wrote a handful of basic python scripts that first discovered the URLs of journal articles and then used curl to request them. Aaron did not use parameter tampering, break a CAPTCHA, or do anything more complicated than call a basic command line tool that downloads a file in the same manner as right-clicking and choosing “Save As” from your favorite browser.
  • Aaron did nothing to cover his tracks or hide his activity, as evidenced by his very verbose .bash_history, his uncleared browser history and lack of any encryption of the laptop he used to download these files. Changing one’s MAC address (which the government inaccurately identified as equivalent to a car’s VIN number) or putting a mailinator email address into a captured portal are not crimes. If they were, you could arrest half of the people who have ever used airport wifi.
  • The government provided no evidence that these downloads caused a negative effect on JSTOR or MIT, except due to silly overreactions such as turning off all of MIT’s JSTOR access due to downloads from a pretty easily identified user agent.
  • I cannot speak as to the criminal implications of accessing an unlocked closet on an open campus, one which was also used to store personal effects by a homeless man. I would note that trespassing charges were dropped against Aaron and were not part of the Federal case.
In short, Aaron Swartz was not the super hacker breathlessly described in the Government’s indictment and forensic reports, and his actions did not pose a real danger to JSTOR, MIT or the public. He was an intelligent young man who found a loophole that would allow him to download a lot of documents quickly. This loophole was created intentionally by MIT and JSTOR, and was codified contractually in the piles of paperwork turned over during discovery.
If I had taken the stand as planned and had been asked by the prosecutor whether Aaron’s actions were “wrong”, I would probably have replied that what Aaron did would better be described as “inconsiderate”. In the same way it is inconsiderate to write a check at the supermarket while a dozen people queue up behind you or to check out every book at the library needed for a History 101 paper. It is inconsiderate to download lots of files on shared wifi or to spider Wikipedia too quickly, but none of these actions should lead to a young person being hounded for years and haunted by the possibility of a 35 year sentence.
Professor Lessig will always write more eloquently than I can on prosecutorial discretion and responsibility, but I certainly agree that Aaron’s death demands a great deal of soul searching by the US Attorney who decided to massively overcharge this young man and the MIT administrators who decided to involve Federal law enforcement.
I cannot speak as to all of the problems that contributed to Aaron’s death, but I do strongly believe that he did not deserve the treatment he received while he was alive. It is incumbent on all of us to figure out how to create some positive change out of this unnecessary tragedy. I’ll write more on that later. First I need to spend some time hugging my kids.
Edit 1: Fixed typo. Thank you @ramenlabs.
Posted from San Carlos, CA.

Original Article

No comments:

Post a Comment