Andrew Auernheimer, also known as “Weev”, was convicted of identify fraud and conspiracy to access a computer without authorization last week for using a script to collect the email addresses of 114,000 iPad AT&T left (albeit accidentally) unencrypted on the internet and available to anyone with a web browser. Auernheimer is the opposite of a traditionally sympathetic character: He’s a self professed troll and hacker who once headed a group with an incredibly racist and homophobic name, spouts anti-Semitic conspiracy theories, and comes across as a delusional fabulist in a recent profile by Gawker’s Adrian Chen.
And yet his conviction has spread a creeping chill through the cybersecurity community, largely due the possible threat it poses to its future. Many security researchers spend countless hours hunting for vulnerabilities to exploit in exchange for cred from their peers or bounty cash from vendors, living in delicate symbiosis with the companies whose flaws they uncover. Security researcher Matt Blaze sums up the situation nicely in an opinion piece about the Auernheimer case for Wired:
“Because computer science has yet to discover a systematic way to find and fix all the vulnerabilities in real-world systems before they get deployed, independent security researchers who discover and report weaknesses have become an essential part of the security ecosystem. Continually poking at systems to seek out hidden flaws is the only hope we have of staying ahead of the bad guys, and the software industry has largely come to recognize that the motley assortment of academics, consultants, and hackers who look for security holes are a community to be cultivated and encouraged — even if the proof of vulnerability they bring may sometimes be painful and embarrassing.”
Now, Auernheimer is by no means a pillar of responsibility in the hacker community. He went straight to the press with the vulnerability rather than notifying AT&T, and chat logs show him apparently gleeful at the prospect of making AT&T’s life difficult. But when anyone, even someone who has burned as many bridges as Auernheimer, is convicted for the same day-to-day activities members of the cybersecurity community do in their line of work, of course it raises concerns, particularly because Blaze and many others in the community credit AT&T’s pain and embarrassment over their security faux pas with Auernheimer’s conviction — not malice or wrongdoing on his part. After all, the information he was convicted for obtaining wasn’t actually secured in anyway, some experts have even compared it to the crawling of sites done by Google.
By going after Auernheimer, the government sent a signal to the hacker community that even if you don’t do anything nefarious in your exploits they can and will take you down — and that threat to the community is bad for security in the long term because if the “good guys” don’t feel they can ply their trade without the risk of prosecution, it leaves more vulnerabilities waiting for people who would rather exploit than expose them. Certainly, one of the last high profile cases involving someone being arrested for exposing a vulnerability, United States v. ElcomSoft and Sklyarov, didn’t work out well for anyone involved, including the company trying to protect its assets. Who knows how many security researchers will lay low this time, waiting to see how the Auernheimer case shakes out? They may not have to wait long, Auernheimer is appealing.