Coviello will provide strategic guidance as Cybereason continues its hypergrowth trajectory following a recent $325 million Series F funding round...
April 19, 2022 |
Born in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.
Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:All Posts by Malicious Life Podcast
JSTOR is a digital library of academic journals, books, and primary sources. On Saturday, September 25, 2010, JSTOR’s IT people noticed a massive increase in article downloads. It seems someone was scraping the website: programmatically scanning the website page by page, downloading hundreds of papers per minute. Such scraping can be very taxing on a service’s servers, which is why it is forbidden by JSTOR’s terms of service. The offending IP, which belonged to MIT’s network, was subsequently located and blocked within hours.
When JSTOR’s admins got to work the following morning, they noticed that the scrapping continued, but from a different MIT IP address. They contacted the university, but MIT’s tech people weren’t much help, because MIT provides free access to JSTOR to all of its visiting scholars: the culprit just had to sign in as a guest. As it turns out, they did: they signed in as Gary Host – Ghost, for short.
So JSTOR decided that this time they would block a whole section of IPs on campus and that would take care of the problem. All was well for a while, and so after some time, JSTOR restored MIT’s full access.
It was on a Saturday, two weeks later, when the scrapping started again, at an even faster rate. This is when JSTOR shut down access to the entire MIT campus. By this time they calculated that approximately 450,000 articles have been downloaded. No one knew where they’d gone. As far as anyone could tell, they were not sold or republished someplace else. Gary Host did not respond to JSTOR’s inquiries. Both MIT and JSTOR agreed that for the time being all visiting scholars’ access will be blocked. A couple of months went by. The scrapper seemed to have given up his or her scientific journal heist.
But in January 2011, someone on JSTOR decided to do a retrospective analysis of the article scrapping incident and found that Gary Host had changed his name to Grace Host, found a new way to infiltrate JSTOR from the MIT campus, and had in fact been scraping the website all along. By this time, they estimated, 80% of JSTOR’s database – approximately 4.8 million articles – have been downloaded over a period of five months. They estimated the damage from unpaid downloading fees to be $50,000.
This is when law enforcement got involved.
Searching the campus, MIT police found a suspicious laptop in a wiring closet in the basement of building 16. The laptop was running a script called “keepgrabbing.py” They notified the Cambridge police which notified the U.S. Secret Service, which advised them to leave the laptop in place and install a hidden camera in the wiring closet.
The sting operation was on.
On January 6th a man was seen on camera entering the wiring closet and replacing an external hard drive. An MIT police officer spotted the suspect while he was riding his bicycle on campus: he tried apprehending him – but the suspect then dumped his bike and managed to run 400 feet before being caught, pushed to the ground, and handcuffed. He was arrested, searched, and placed in solitary confinement until he was released a few hours later on a $1,000 bail.
24-year-old computer programmer, writer, and internet activist Aaron Swartz was arraigned in the Cambridge District Court on two state charges of breaking and entering with intent to commit a felony.
When Aaron was three years old he pointed at the family’s refrigerator and asked his mother “What’s this free family entertainment in downtown Highland Park?”. Confused, his mother asked him “What are you talking about?” and young Aaron said, “Look, it says here on the refrigerator. Free family entertainment in downtown Highland Park”. That’s when Aaron’s parents realized that their kid taught himself how to read.
Born in 1986 in Highland Park, Illinois, Aaron was a bright self-starter. He loved computers. He loved libraries and he loved learning and then teaching his brothers what he learned. He had the gift of simplifying concepts and clearly conveying them to others.
His father, the founder of a small software firm, bought his three young children a computer in the late 80s. Aaron took to the machine immediately and wrote basic game scripts for his siblings.
By 9th grade, Aaron was fed up with high school. Why should he go to school to learn from a teacher – what he can get for free at the public library or online? So Aaron created The Info Network – a user-generated encyclopedia, a predecessor to Wikipedia. He even won an award from a web development company for creating “a useful, educational, and collaborative” non-commercial website. He was 13 at the time.
Unfortunately, as he himself stated in a talk at a computer conference several years later: “the only people I knew at the time were other kids in my school, so I didn’t really have anyone writing a lot of encyclopedia articles.” However, The Info Network was what got him noticed by computer-savvy adults.
Aaron started collaborating with an online working group on establishing the framework for RSS – an XML-based format for distributing and aggregating web content that will go on to become the backbone of podcast publishing. His fellow collaborators said that he was very knowledgeable, combative, and vocal with his opinions. He also worked very hard to hide his age. It took the online group a full year to finally ask him why he never shows up to face-to-face meetings, to which he reluctantly responded that his mother won’t let him fly alone. He was only 14.
In 2005 he enrolled at Stanford University, only to get bored and leave after barely a year. He created Infogami, a flexible content management system designed to create rich and visually interesting websites. It failed – but that’s how he met his new partners, Steve Huffman and Alexis Ohanian, and became a co-owner of a news website called Reddit. In a talk he gave at a computer conference two years later, Aaron described their workday like this:
“The first thing to know about Reddit was that we had no clue what we were doing…Every morning we woke up and made sure the server wasn’t down and that our site hadn’t been overrun by spammers and that all our users hadn’t left.”
Reddit was bought a year later by Conde Nast Publications for an estimated 20 million dollars. Aaron became a millionaire – but that made very little difference to him: all he wanted to do was code. When the Reddit team moved to San Francisco to work at Wired magazine’s offices (also owned by Conde Nast), Aaron realized corporate life wasn’t for him.
“I was miserable. I couldn’t stand San Francisco. I couldn’t stand office life. I couldn’t stand Wired. I took a long Christmas vacation. I got sick. I thought of suicide. I ran from the police. And when I got back on Monday morning, I was asked to resign.”
By this time Aaron was a man of means with a long to-do list he started marking off one by one. Together with Brewster Kahle from The Internet Archive, a non-profit free library of anything digital, he created “The Open Library” – a free service that allows anyone to borrow digital books. He authored several blogs on different topics that interested him, and mentored a startup summer camp for brilliant overachieving kids such as himself.
A Close Call
PACER is short for Public Access to Court Electronic Records. It’s a government database for public records for the federal, district, and appeals courts, and it’s paywalled. In 2008, Aaron and Carl Malamud – another public domain advocate – downloaded 20 million pages of legal documents from PACER, via a computer at the Sacramento Public Library.
This got the FBI involved. Aaron’s house was surveilled and his public life and records scrutinized – but ultimately, after two months of investigation, the FBI decided to close the case because the data that Aaron scraped was actually public data.
Three years later, in 2011, a bill was introduced to Congress: SOPA, short for Stop Online Piracy Act. Its tenet was to expand the ability of U.S. law enforcement to combat online copyright infringement and online trafficking in counterfeit goods. It gave the government the power to sanction and shut down any website that publishes unauthorized copyrighted content – even websites such as YouTube or Wikipedia.
Aaron was one of the architects of the SOPA opposition campaign. On January 18th, 2012 the stop-SOPA campaigners managed to convince 115,000 websites to go dark. Wikipedia wrote on its home page “Imagine a world without free knowledge”, and added a zip code tool for contacting your representative at congress. Over 4 million emails were sent, 10 million signatures were collected, eight million phone calls were made and three million tweets called on congress to dump SOPA.
It worked. The republicans pulled out and then the white house withdrew its support for the bill. They won.
United States vs. Aaron Swartz
Back to JSTOR and MIT.
Quinn Norton, a journalist, was Aaron’s girlfriend at the time. In March, 2012, while she was staying with a friend in the San Francisco Bay Area, Quinn was visited by two secret service agents that issued a subpoena for all her digital communications with Aaron.
Shortly after, Quinn was invited by Steve Heymann – the federal prosecutor – to a meeting where she would be investigated about Aaron’s alleged crime. The upcoming chat with the prosecutor was putting a strain on their relationship: each had a different lawyer that gave different and sometimes conflicting advice. Aaron and Quinn were arguing and making up daily. They were stressed out and tired and the trust was starting to ooze out of their relationship.
On April 13th, Quinn sat at Heymann’s office in the Boston Courthouse. There were six people around the table at the overstuffed office: Quinn with her two lawyers and Heymann with two secret service agents. Sporting a borrowed tweed suit, a migraine, painkillers and a glass of water Quinn sat there for hours being grilled about the nature of her relationship with Aaron and what she knew about his JSTOR heist. She kept insisting that she knew nothing – but the prosecutor wasn’t convinced.
In a documentary released a year after Aaron’s death, Quinn is seen describing the moment that she believes sealed Aaron’s fate. It was when she mentioned the three-year-old, widely circulated “Guerilla Open Access Manifesto” penned by a group of activists and signed by Aaron. Here is an excerpt from the Manifesto:
“There is no justice in following unjust laws. It’s time to come into the light and, in the grand tradition of civil disobedience, declare our opposition to this private theft of public culture.
We need to take information, wherever it is stored, make our copies, and share them with the world. We need to take stuff that’s out of copyright and add it to the archive. We need to buy secret databases and put them on the Web. We need to download scientific journals and upload them to file-sharing networks. We need to fight for Guerilla Open Access.”
Quinn believes that until then the prosecutors were fishing for a reason to make an example out of Aaron. They saw in him a scapegoat for the downloading pirates of the world. The manifesto was their smoking gun of malicious intent.
Aaron was indicted by federal prosecutors on four felony charges: wire fraud, computer fraud, unlawfully obtaining information from a protected computer, and recklessly damaging a protected computer. At some point, the number of charges was increased to 13, under the 1986 Computer Fraud and Abuse Act (CFAA). If convicted, Aaron was facing up to 35 years in prison, three years of supervised release, and a fine of up to $1 million.
There’s little doubt that what Aaron did went against the law. The scientific papers he scraped were indeed – according to a precedent set in 1978 – JSTOR’s property, and by continually circumventing JSTOR’s ban on various IPs, Aaron did commit a crime. Even Lawrence Lessig, a lawyer and a political activist who was Aaron’s friend and even advised him during the trial, admitted that –
“What [Aaron Swartz] did was wrong. And if not legally wrong, then at least morally wrong. The causes that Aaron fought for are my causes too. But as much as I respect those who disagree with me about this, these means are not mine.”
Orin Kerr, Professor of Law at UC Berkeley, wrote the following:
“If I’m right about what Swartz was trying to do, then I think some kind of criminal prosecution is appropriate in this case. The evidence suggests to me that this was not a one-time mistake or an impulsive decision. Rather, Swartz was acting very deliberately with a quite far-reaching goal: he was intentionally breaking the law in the short run to achieve a long-run goal of nullifying the protections of a set of democratically-enacted laws that he opposed.”
Kerr thinks that considering the type and number of crimes Aaron was charged with, the punishment sought by the prosecution was also to be expected, if – and that’s an important “if” – we keep in mind that the 35 years in prison facing Aaron were merely the maximum possible punishment.
“I think it’s absolutely right that decades in jail would have been extreme overkill. But it’s important to realize that such a sentence was never a realistic possibility. […] When Congress passes a criminal law, it specifies a maximum possible lawful punishment for a violation of that crime. […] But it’s important to realize that the actual punishments that are imposed for violations usually have nothing to do with these maximum punishments. The actual punishments are calculated under a complex scheme enacted by a law called the Federal Sentencing Guidelines, which then offer a recommended sentence that a judge can then impose or modify to suit the circumstances.”
And yet, even if we take into account that 35 years in prison was never a realistic possibility – something still feels wrong. Should such a harsh punishment even be considered, however remotely, in a crime such as the one that Aaron Swartz allegedly committed?
Alex Stamos, then Chief Security Officer at Facebook, was supposed to testify in Aaron’s trial as an expert witness. He wrote in his personal blog:
“I know a criminal hack when I see it, and Aaron’s downloading of journal articles from an unlocked closet is not an offense worth 35 years in jail. […] If I had taken the stand as planned and had been asked by the prosecutor whether Aaron’s actions were “wrong”, I would probably have replied that what Aaron did would better be described as “inconsiderate”. In the same way it is inconsiderate to check out every book at the library needed for a History 101 paper. None of these actions should lead to a young person being hounded for years and haunted by the possibility of a 35 year sentence.”
Apparently, this question has been bothering scholars like Kerr and Lessig for quite some time. Here’s Professor Kerr again:
“The Swartz case does point to a serious problem with the Computer Fraud and Abuse Act. […] The problem raised by the Swartz case is one I’ve been fighting for years: Felony liability under the statute is triggered much too easily. The law needs to draw a distinction between low-level crimes and more serious crimes, and current law does so poorly.”
A felony is a crime for which the maximum possible lawful punishment is more than one year in jail. If the maximum possible punishment is a year or less – then the crime is called a misdemeanor. Kerr writes –
“Felony liability under 18 U.S.C. 1030 has a trigger that is too low. […] Under that statute, a mere misdemeanor act of unauthorized access [to a computer system] becomes a serious felony crime. […] unauthorized access in furtherance of any conduct that is any crime or tort under the state or federal system makes the low-level offense a felony. And DOJ always has creative theories that lets them find another tort or crime.”
Lawrence Lessing says that that’s exactly what the prosecutor in Aaron’s trial did.
“From the beginning, the government worked as hard as it could to characterize what Aaron did in the most extreme and absurd way. The “property” Aaron had “stolen,” we were told, was worth “millions of dollars” — with the hint, and then the suggestion, that his aim must have been to profit from his crime. But anyone who says that there is money to be made in a stash of ACADEMIC ARTICLES is either an idiot or a liar. […] The question this government needs to answer is why it was so necessary that Aaron Swartz be labeled a “felon.” […] Fifty years in jail, charges our government. Somehow, we need to get beyond the “I’m right so I’m right to nuke you” ethics that dominate our time.”
The absurdity of punishment facing Aaron was so obvious, that by May 2012 JSTOR was talking to Aaron’s lawyers trying to get their stuff back and shut the whole thing down. Everybody was getting bad press from this. This is when JSTOR released the following statement:
“What Mr. Swartz did was extremely serious from our perspective. Following his arrest, we made contact with Mr. Swartz and learned that he had retained and was prepared to return the copies of all the articles that he had downloaded, and we entered into a civil settlement with him. We told the United States Attorney’s Office that we had no further interest in the matter and did not want to press charges.”
But the prosecutor, determined to make an example of Aaron, pressed forward. He offered Aaron a deal: three months in prison, three months in a halfway house and three months probation, and one felony count. Pleading guilty to a felony count in the United States means that you have a permanent criminal record, you could have a hard time renting a home, getting a job, being accepted to college, applying for financial aid, loans and scholarships, and attaining professional licenses. You also may not be able to travel to certain countries, be more likely to have reduced custody rights over your kids, and in some states be revoked of the right to vote.
Aaron was adamant: what he did was not a felony. As Lawrence Lessig recalls –
“In the 18 months of negotiations, that was what he was not willing to accept.”
Aaron pleaded not guilty on all counts.
When Quinn Norton finally got called before the grand jury – she invoked the 5th amendment to the U.S. Constitution: a refusal to answer a question, especially in a criminal trial, on the grounds that you might incriminate yourself. She tried to dissuade the grand jury from indicting Aaron. This enraged the prosecutors, she got thrown out of the room.
This was, however, a little too late for Quinn and Aaron. The pressure and paranoia placed an immense strain on their relationship, and they eventually broke up.
On January 13, 2013, Aaron, tired of the fight and hopeless of its outcome, hanged himself in his Brooklyn apartment.
Just two days before his death, JSTOR announced that it would make more than 4.5 million articles available to the public free of charge with the “Register & Read ” service.
Carl Malamud said the following in his eulogy at Aaron’s memorial:
“Aaron was part of an army of citizens that believes democracy only works when a citizenry are informed, and we know about our rights and our obligations, an army that believes we must make justice and knowledge available to all, not just the well-born, or those that have grabbed the reins of power, so that we may govern ourselves more wisely. He was part of an army of citizens that rejects kings and generals and believes in rough consensus and running code.”
The public outcry over Aaron’s punishment, penalties, and death prompted an attempt to amend the Computer Fraud and Abuse Act (CFAA) of 1986. On the 20th of June 2013, Aaron’s Law was introduced to congress demanding that “exceeds authorized access” be replaced with the milder offense of “access without authorization,” and that there would be a limit to the imposition of enhanced penalties to subsequent offenses, and that the monetary value of the damage done will be made according to fair market value. Meaning – no more 35 years in prison for downloading articles. However, the bill died two years later.
And so the debate continues to this day. it was Aaron himself who outlined it best, in a keynote speech he gave in 2012:
“There’s a battle going on right now: a battle to define everything that happens on the Internet in terms of traditional things that the law understands. Is sharing a video on BitTorrent like shoplifting from a movie store? Or is it like loaning a videotape to a friend? Is reloading a web page over and over again like a peaceful virtual sit-in, or a violent smashing of shop windows? Is the freedom to connect like freedom of speech, or like the freedom to murder? […] If we lost the ability to communicate with each other over the Internet, it would be a change to the bill of rights — the freedoms guaranteed in our constitution. The freedoms our country had been built on would be suddenly deleted. New technology, instead of bringing us greater freedom, would have snuffed out fundamental rights we’d always taken for granted.”
Over the years it has become a tribute to Aaron’s memory, to read the Guerilla Open Access Manifesto and upload it to YouTube.