Aaron Swartz, co-founder of Reddit and online activist, hangs himself in New York City last night. At the moment the Internet community is having a virtual wake. Aaron was a young star in the tech community who was known for doing the right things for good not money.
Apparently on some bogus government shakedown by MIT related publisher, he killed himself last night.
Alex Stamos has a great perspective on this most shocking event in Internet community history since John Postel died suddenly October 16, 1998, Postel died of complications after heart valve replacement surgery in Los Angeles, 9 months after the DNS Root Authority incident. Jon Postel was the so called master of the Internet DNS during its formative years when the Internet was under guard by the Dept of Commerce.
Story by Aaron Expert Witness on the prosecution that ended his life.
I was the expert witness on Aaron’s side of US vs Swartz, engaged by his attorneys last year to help prepare a defense for his April trial. Until Keker Van Nest called iSEC Partners I had very little knowledge of Aaron’s plight, and although we have spoken at or attended many of the same events we had never once met.
Should you doubt my neutrality, let me establish my bona fides. I have led the investigation of dozens of computer crimes, from Latvian hackers blackmailing a stock brokerage to Chinese government-backed attacks against dozens of American enterprises. I have investigated small insider violations of corporate policy to the theft of hundreds of thousands of dollars, and have responded to break-ins at social networks, e-tailers and large banks. ….. In short, I am no long-haired-hippy-anarchist who believes that anything goes on the Internet. I am much closer to the stereotypical capitalist-white-hat sellout that the antisec people like to rant about (and steal mail spools from) in the weeks before BlackHat.
I know a criminal hack when I see it, and Aaron’s downloading of journal articles from an unlocked closet is not an offense worth 35 years in jail.
- MIT operates an extraordinarily open network. Very few campus networks offer you a routable public IP address via unauthenticated DHCP and then lack even basic controls to prevent abuse. Very few captured portals on wired networks allow registration by any vistor, nor can they be easily bypassed by just assigning yourself an IP address. In fact, in my 12 years of professional security work I have never seen a network this open.
- In the spirit of the MIT ethos, the Institute runs this open, unmonitored and unrestricted network on purpose. Their head of network security admitted as much in an interview Aaron’s attorneys and I conducted in December. MIT is aware of the controls they could put in place to prevent what they consider abuse, such as downloading too many PDFs from one website or utilizing too much bandwidth, but they choose not to.
- At the time of Aaron’s actions, the JSTOR website allowed an unlimited number of downloads by anybody on MIT’s 18.x Class-A network. The JSTOR application lacked even the most basic controls to prevent what they might consider abusive behavior, such as CAPTCHAs triggered on multiple downloads, requiring accounts for bulk downloads, or even the ability to pop a box and warn a repeat downloader.
- Aaron did not “hack” the JSTOR website for all reasonable definitions of “hack”. Aaron wrote a handful of basic python scripts that first discovered the URLs of journal articles and then used curl to request them. Aaron did not use parameter tampering, break a CAPTCHA, or do anything more complicated than call a basic command line tool that downloads a file in the same manner as right-clicking and choosing “Save As” from your favorite browser.
- Aaron did nothing to cover his tracks or hide his activity, as evidenced by his very verbose .bash_history, his uncleared browser history and lack of any encryption of the laptop he used to download these files. Changing one’s MAC address (which the government inaccurately identified as equivalent to a car’s VIN number) or putting a mailinator email address into a captured portal are not crimes. If they were, you could arrest half of the people who have ever used airport wifi.
- The government provided no evidence that these downloads caused a negative effect on JSTOR or MIT, except due to silly overreactions such as turning off all of MIT’s JSTOR access due to downloads from a pretty easily identified user agent.
- I cannot speak as to the criminal implications of accessing an unlocked closet on an open campus, one which was also used to store personal effects by a homeless man. I would note that trespassing charges were dropped against Aaron and were not part of the Federal case.
In short, Aaron Swartz was not the super hacker breathlessly described in the Government’s indictment and forensic reports, and his actions did not pose a real danger to JSTOR, MIT or the public. He was an intelligent young man who found a loophole that would allow him to download a lot of documents quickly. This loophole was created intentionally by MIT and JSTOR, and was codified contractually in the piles of paperwork turned over during discovery.
Professor Lessig will always write more eloquently than I can on prosecutorial discretion and responsibility, but I certainly agree that Aaron’s death demands a great deal of soul searching by the US Attorney who decided to massively overcharge this young man and the MIT administrators who decided to involve Federal law enforcement.
Other Stories From Around the Web
RIP, Aaron Swartz – Boing Boing
The inspiring heroism of Aaron Swartz
The inspiring heroism of Aaron Swartz | Glenn Greenwald
My Aaron Swartz, whom I loved. | Quinn Said
Aaron Swartz, Internet Activist, Dies at 26
Lessig on the DoJ’s vindictive prosecution of Aaron Swartz
If I get hit by a truck…
Lauren Weinstein’s Blog: The Many Killers of Aaron Swartz