If you're on NSA's radar you've got bigger problems than TrueCrypt's trustworthiness or lack thereof. The NSA doesn't have to have a back door into AES (or the other algorithms) when they have an arsenal of zero day exploits, side channel attacks, social engineering, and TEMPEST techniques at their disposal. The average user should be far more concerned about these attack vectors (from any source, not just NSA) than the security of the underlying encryption algorithm.

The Diceware FAQ sums up the problem rather succinctly: "Of course, if you are worried about an organization that can break a seven word passphrase in order to read your e-mail, there are a number of other issues you should be concerned with -- such as how well you pay the team of armed guards that are protecting your computer 24 hours a day."

You're overlooking the part about purposefully manipulating the query in such a fashion as to trick the webserver into thinking you're someone else.

AT&T's mistakes do not excuse the actions of the accused.

There's no overly broad precedent here, unless you're trying to claim that prosecuting people for impersonation is a scary precedent.

How is the law being abused here? Go read the evidence in this case. AT&T set up a system that was designed to automatically populate an e-mail field for the convenience of their customers. They did this by matching two different variables, the user-agent of the iPad web browser and the ICC-ID number from the SIM card contained therein. Two people then discovered that they could fake both of those variables to obtain the personally identifiable information (PII) of AT&T customers. They did this in a deliberate manner while discussing ways of using the obtained information for profit, with ideas ranging from spamming (direct marketing ofiPad accessories to people who obviously owned iPads) to securities fraud (they floated the idea of shorting AT&T's stock when news of the security breech broke) to the enhancement of their own reputation (look how awesome of a security guy I am, I broke into AT&T, buy my consulting services!)

AT&T's failings are not really relevant here. The process of obtaining the PII was sufficiently complicated as to make it readily apparent that the information obtained was not for public consumption. No reasonable person would conclude that they were entitled to access the PII of AT&T's customers. No reasonable person would discover this security flaw then write a script to automate the collection process while exploring methods of using the obtained information for personal financial gain.

Your whole argument can be distilled to three words: Blame the victim.

That's some selective quoting right there, chopping it off at "or any overt act in furtherance of the conspiracy in New Jersey". They didn't conclude that he didn't commit the crime, they concluded that no actions taken in furtherance of the offense were performed in New Jersey.

It was keyed to only populate the e-mail field when both of the following were present: The user-agent of an iPad's web browser and a valid ICC-ID code belonging to an AT&T customer. They used these two items of information to impersonate AT&T customers and steal their personally identifiable information. Of course, your point is irrelevant either way, because the law doesn't care about "authorization process", it only cares that you accessed information you were not authorized to access. No reasonable person would conclude that they were authorized to access PII under these circumstances, wherein they had to trick AT&T's server into thinking they were somewhere else to obtain the information.

If this goes to trial again he will be convicted. If he has half a brain he'll cut a plea deal with the US Attorney, save everybody the hassle of another trial, and likely walk away with time already served. Frankly I doubt he'll do that, because he strikes me as exceedingly arrogant, but perhaps he's humbled after some time behind bars.

You should familiarize yourself with the term "personally identifiable information"

A better analogy would be calling AT&T and saying "I'm Bob, can you tell me when my bill is due?" You've impersonated Bob and used it to obtain access to personally identifiable information, you'd be guilty of a number of different crimes in such a circumstance.

My understanding is it wound up New Jersey simply because the Federal authorities there have more experience with these types of cases. However it happened, I'd concur that it was improper venue. The Feds should have charged him in his own Federal District at the very least, though I'd go further than that and argue that the body of evidence should have been turned over to the authorities in Arkansas for a state level prosecution. Either way, he was entitled to be tried in the jurisdiction where the law was broken, not trucked halfway across the country for the convenience of Uncle Sam.

Venue was improper. That doesn't mean he isn't guilty, it just means the Federal Government was inept (shocker, I know) and has managed to turn a common criminal into a martyr because they were too stubborn to simply turn this matter over to the authorities in his home state. I suspect the Feds will just prosecute him again in his home Federal District, wherein he will be convicted, though if they were smart they'd let the State authorities handle this matter. AR has a non-controversial computer trespass law that would cover his actions here.

And you'd be wrong. You're looking at this from the geek perspective, rather than the legal perspective. Google the reasonable person standard and mens rea, those are two of the most important building blocks of our legal system. Bottom line: He knowingly accessed information that a reasonable person would have known they weren't entitled to access. He did so by tricking AT&T's servers into thinking he was someone other than himself. The icing on the cake were his own words entered into evidence, wherein he admitted that he knew he wasn't entitled to access the information.

Don't take my word for any of this, go read the body of evidence against him. It's all publicly accessible via PACER.

He's still guilty of violating CFAA. They just tied it to another State level offense to enhance the underlying charge into a felony. They could have done that with any underlying state law though, so it's kind of moot whether or not he violated the NJ law. He's also guilty of violating Arkansas' computer trespass law, emphasis mine:

A person commits computer trespass if the person intentionally and without authorization accesses, alters, deletes, damages, destroys, or disrupts any computer, computer system, computer network, computer program, or data.

Had he been charged under that statute I highly doubt this would have become a national news story. This really shouldn't have become a Federal case, and if the Feds were hell bent on taking it they should have charged him in his home district. Carting him halfway across the country was a dick move, done purely for the convenience of the Federal Government, and it's made a martyr out of a common criminal that nobody would ever have heard of if this matter had been handled at the State level.

You're seriously going to argue that even though he had to take deliberate steps to impersonate other people he wasn't accessing information "without authorization"? That's what this boils down to at the end of the day, he tricked AT&T's web servers into thinking he was an AT&T customer, and in so doing obtained access to information about that customer. Then he wrote a script to automate the process and repeated it ~140,000 times.

I really don't understand why people defend this kid's actions. The Federal prosecution was bullshit, this should have been charged at the State level, but to claim that he's completely innocent when he went out of his way to obtain access to information he knew he had no right to access? That's absurd.

It's not a public facing web page when you have to impersonate someone else in order to access it.

After weev modified his user-agent to pass his browser off as an iPad, then wrote a script to throw millions of different ICC-ID codes at AT&T's servers, thereby tricking them into thinking that he was the AT&T customers whose e-mails were exposed.

AT&T's "security" measures were woefully inadequate, but that doesn't change the fact that calculated and deliberate actions were required to obtain access to information that Mr. Auernheimer and Mr. Spitler knew they had no right to access. They both had the guilty mind (mens rea) required under our legal tradition to sustain a criminal conviction, breaking both the letter and the spirit of the law.

He still could have been charged under CFAA, without the felony enhancement (or without it through some other requirement), or any one of a number of state-level computer trespass laws. My home state (New York) has a felony computer trespass law that would apply to the exact same crime committed within our jurisdiction, and Arkansas (weev's home state) has a similar statute.

As a general rule of thumb the law is less concerned about the specific security measures bypassed and more concerned with whether or not you knew you were entitled to access the information (the record here is clear that he knew he was not) but still took deliberate measures to obtain said access.

He deserved to go to jail. Read the body of evidence against him. This wasn't a simple exposure of a security flaw in AT&T's website. He took deliberate actions to maximize the collection of information, bypassed security measures to obtain said information (that the security measures were woefully inadequate is beside the point, deliberate actions were required to bypass them), and discussed ways to use the obtained information for personal profit with his co-conspirator.

None of that is to suggest that I agree with dragging him halfway across the country, or even with the Feds getting involved in the first place. His home state (Arkansas) has a computer trespass statute that would have been sufficient to prosecute him under, or the Feds could have at least tried him in his own district. I suspect that the former is what may happen now, since double jeopardy won't apply to a State level prosecution, and if it shakes out fairly he'll get credit for the time served in Federal prison without additional jail/prison time being imposed. First time offender and a non-violent crime after all...

In a fair world you would be able to. Of course, in a fair world people also wouldn't check Facebook during business hours, or read personal e-mails, answer texts/calls their personal cell phones, shop on Amazon, or gossip with their coworkers at the coffee pot/water cooler outside of designated break times.

The work-life balance tilts both ways. YMMV, but I come out significantly ahead when I compare the personal things I do on company time against the occasional phone call or e-mail I handle during the evening or on the weekend.