It's very Science. You tinker with the disease so it'll no longer kill you and then expose yourself so that your autoimmune response will be triggered. This results in antibodies ready to fight off the full strength version should you ever come in contact with it.

That's what a vaccine is.

The concept was discovered back when someone thought to wonder why milk maids always had smooth skin. It turned out they didn't get smallpox like everybody else. But every one of them caught smallpox's weaker cousin, cowpox, early in life.

Catch is, tinkering with a disease so it won't kill you is only about 99.999% successful. The other 0.001% of the time it kills you anyway. So you don't want to take a vaccine for every conceivable disease... just for those you're likely to come in to contact with.

The reason computer security jobs go begging is that anyone competent to run the checklists is bored to tears by them and perfectly competent at so many other things.

Er... a vaccine is generally a weakened form of the actual disease you're trying to protect against. It's a little concept called "immunotherapy." One doesn't create a vaccine by running away from toxins, one embraces the toxins in a manner that stimulates the body to protect itself.

I use scripts wrapped around tried-and-true tar for my backups. And since I routinely build new servers from backups of a comparable one, I know they work.

Does anybody still use the fsdump utilities for their filesystem? Did anyone ever?

I have a laptop loaded with books and some portable solar panels to charge it. My plan is to locate some survivalists and suggest that if they get me through year one, what I bring will see them through years two through ten. Do they want to scrape out an existence as hunter-gatherers or do they want to LIVE?

We went from Edison to Google in only a century. With knowledge preserved, civilization and its comforts can be rebuilt in less than a lifetime.

Assuming I survive being within 10 miles of a probable ground zero for any apocalypse, of course. And hopefully they don't shoot first.

You're overlooking the part about purposefully manipulating the query in such a fashion as to trick the webserver into thinking you're someone else.

AT&T's mistakes do not excuse the actions of the accused.

There's no overly broad precedent here, unless you're trying to claim that prosecuting people for impersonation is a scary precedent.

How is the law being abused here? Go read the evidence in this case. AT&T set up a system that was designed to automatically populate an e-mail field for the convenience of their customers. They did this by matching two different variables, the user-agent of the iPad web browser and the ICC-ID number from the SIM card contained therein. Two people then discovered that they could fake both of those variables to obtain the personally identifiable information (PII) of AT&T customers. They did this in a deliberate manner while discussing ways of using the obtained information for profit, with ideas ranging from spamming (direct marketing ofiPad accessories to people who obviously owned iPads) to securities fraud (they floated the idea of shorting AT&T's stock when news of the security breech broke) to the enhancement of their own reputation (look how awesome of a security guy I am, I broke into AT&T, buy my consulting services!)

AT&T's failings are not really relevant here. The process of obtaining the PII was sufficiently complicated as to make it readily apparent that the information obtained was not for public consumption. No reasonable person would conclude that they were entitled to access the PII of AT&T's customers. No reasonable person would discover this security flaw then write a script to automate the collection process while exploring methods of using the obtained information for personal financial gain.

Your whole argument can be distilled to three words: Blame the victim.

That's some selective quoting right there, chopping it off at "or any overt act in furtherance of the conspiracy in New Jersey". They didn't conclude that he didn't commit the crime, they concluded that no actions taken in furtherance of the offense were performed in New Jersey.

It was keyed to only populate the e-mail field when both of the following were present: The user-agent of an iPad's web browser and a valid ICC-ID code belonging to an AT&T customer. They used these two items of information to impersonate AT&T customers and steal their personally identifiable information. Of course, your point is irrelevant either way, because the law doesn't care about "authorization process", it only cares that you accessed information you were not authorized to access. No reasonable person would conclude that they were authorized to access PII under these circumstances, wherein they had to trick AT&T's server into thinking they were somewhere else to obtain the information.

If this goes to trial again he will be convicted. If he has half a brain he'll cut a plea deal with the US Attorney, save everybody the hassle of another trial, and likely walk away with time already served. Frankly I doubt he'll do that, because he strikes me as exceedingly arrogant, but perhaps he's humbled after some time behind bars.

You should familiarize yourself with the term "personally identifiable information"

I call B.S. NSA contractors operated thousands of systems with sensitive NSA data running the affected versions of openssl. It's extraordinarily unlikely that they'd have intentionally left a certain important body part swinging in the breeze for years for the sake of an advantage over adversaries. it would have been an insanely gutsy move, the kind requiring you to judge your adversary's data more valuable than your own.

A better analogy would be calling AT&T and saying "I'm Bob, can you tell me when my bill is due?" You've impersonated Bob and used it to obtain access to personally identifiable information, you'd be guilty of a number of different crimes in such a circumstance.

My understanding is it wound up New Jersey simply because the Federal authorities there have more experience with these types of cases. However it happened, I'd concur that it was improper venue. The Feds should have charged him in his own Federal District at the very least, though I'd go further than that and argue that the body of evidence should have been turned over to the authorities in Arkansas for a state level prosecution. Either way, he was entitled to be tried in the jurisdiction where the law was broken, not trucked halfway across the country for the convenience of Uncle Sam.

Venue was improper. That doesn't mean he isn't guilty, it just means the Federal Government was inept (shocker, I know) and has managed to turn a common criminal into a martyr because they were too stubborn to simply turn this matter over to the authorities in his home state. I suspect the Feds will just prosecute him again in his home Federal District, wherein he will be convicted, though if they were smart they'd let the State authorities handle this matter. AR has a non-controversial computer trespass law that would cover his actions here.

And you'd be wrong. You're looking at this from the geek perspective, rather than the legal perspective. Google the reasonable person standard and mens rea, those are two of the most important building blocks of our legal system. Bottom line: He knowingly accessed information that a reasonable person would have known they weren't entitled to access. He did so by tricking AT&T's servers into thinking he was someone other than himself. The icing on the cake were his own words entered into evidence, wherein he admitted that he knew he wasn't entitled to access the information.

Don't take my word for any of this, go read the body of evidence against him. It's all publicly accessible via PACER.

He's still guilty of violating CFAA. They just tied it to another State level offense to enhance the underlying charge into a felony. They could have done that with any underlying state law though, so it's kind of moot whether or not he violated the NJ law. He's also guilty of violating Arkansas' computer trespass law, emphasis mine:

A person commits computer trespass if the person intentionally and without authorization accesses, alters, deletes, damages, destroys, or disrupts any computer, computer system, computer network, computer program, or data.

Had he been charged under that statute I highly doubt this would have become a national news story. This really shouldn't have become a Federal case, and if the Feds were hell bent on taking it they should have charged him in his home district. Carting him halfway across the country was a dick move, done purely for the convenience of the Federal Government, and it's made a martyr out of a common criminal that nobody would ever have heard of if this matter had been handled at the State level.