I am sure most of us have come across the news of the saddening demise of 26 year old Aaron Swartz. He was an internet activist fighting for the good of the internet. He was also part of the founding team of Reddit. He also wrote the initial definitions of the RSS (Rich Site Summary). In short, he was a brilliant young lad who brought an end to his own life.
There have been many discussions as to why he did so. It is definitely sad that people have been making vague statements and opinions especially after a person has just passed away. Alex Stamos, CTO of Artemis Internet and expert witness on Aaron’s side of US vs Swartz writes a post in his blog talking about the facts of Aaron’s “crime”.
In case you still do not know, Aaron was indicted of stealing government information from a government website, causing damage to resources, etc. I am sure most will believe that downloading of journal articles from an unlocked closet is not an offense worth 35 years in jail.
Here are some facts as mentioned by Alex Stamos:
- MIT operates an extraordinarily open network. Very few campus networks offer you a routable public IP address via unauthenticated DHCP and then lack even basic controls to prevent abuse. Very few captured portals on wired networks allow registration by any vistor, nor can they be easily bypassed by just assigning yourself an IP address. In fact, in my 12 years of professional security work I have never seen a network this open.
- In the spirit of the MIT ethos, the Institute runs this open, unmonitored and unrestricted network on purpose. Their head of network security admitted as much in an interview Aaron’s attorneys and I conducted in December. MIT is aware of the controls they could put in place to prevent what they consider abuse, such as downloading too many PDFs from one website or utilizing too much bandwidth, but they choose not to.
- At the time of Aaron’s actions, the JSTOR website allowed an unlimited number of downloads by anybody on MIT’s 18.x Class-A network. The JSTOR application lacked even the most basic controls to prevent what they might consider abusive behavior, such as CAPTCHAs triggered on multiple downloads, requiring accounts for bulk downloads, or even the ability to pop a box and warn a repeat downloader.
- Aaron did not “hack” the JSTOR website for all reasonable definitions of “hack”. Aaron wrote a handful of basic python scripts that first discovered the URLs of journal articles and then used curl to request them. Aaron did not use parameter tampering, break a CAPTCHA, or do anything more complicated than call a basic command line tool that downloads a file in the same manner as right-clicking and choosing “Save As” from your favorite browser.
- Aaron did nothing to cover his tracks or hide his activity, as evidenced by his very verbose .bash_history, his uncleared browser history and lack of any encryption of the laptop he used to download these files. Changing one’s MAC address (which the government inaccurately identified as equivalent to a car’s VIN number) or putting a mailinator email address into a captured portal are not crimes. If they were, you could arrest half of the people who have ever used airport wifi.
- The government provided no evidence that these downloads caused a negative effect on JSTOR or MIT, except due to silly overreactions such as turning off all of MIT’s JSTOR access due to downloads from a pretty easily identified user agent.
- I cannot speak as to the criminal implications of accessing an unlocked closet on an open campus, one which was also used to store personal effects by a homeless man. I would note that trespassing charges were dropped against Aaron and were not part of the Federal case.
In short, Aaron Swartz was not the super hacker breathlessly described in the Government’s indictment and forensic reports, and his actions did not pose a real danger to JSTOR, MIT or the public. He was an intelligent young man who found a loophole that would allow him to download a lot of documents quickly. This loophole was created intentionally by MIT and JSTOR, and was codified contractually in the piles of paperwork turned over during discovery.
Well, at the end of it, he did give away his life which could have been saved. But this is how it is now I guess. It is a sad demise for the internet and activists in general.