Weev: Hackers should keep security holes to themselves

Weev. Photo: Gawker

Andrew Auernheimer, aka “weev,” the hacker found guilty last week of computer intrusion for obtaining the unprotected e-mail addresses of more than 100,000 iPad owners from AT&T’s website and passing them to a journalist, has an opinion piece in Wired News today.

Auenheimer, who founded troll group Gay Nigger Association of American and once said "some big Jews" would love to serve him a summons, sees his conviction as an unjust way to AT&T punish the messenger, rather than owning responsibility for a weak system.

In the Wired op-ed, he argues that hackers should forget about disclosure, and keep what they learn of security holes to themselves.



  1. This guy is obnoxious, he entirely reneges on his opinions just because he’s being indicted. If he hadn’t been so eager to use the exploit he uncovered to make him seem like some celebrity hacker extraordinaire he probably wouldn’t have had the hammer come down on him so hard. 

    1. This guy’s got a long history of being a sociopathic asshat. I remember him from the Encyclopedia Dramatica crowd. I have zero sympathy for him and have no trouble imagining all the ways he probably chose to make a sensitive situation worse.

      This all has no impact on whether the charges are just; they just happen to have unjustly affected someone who I don’t mind seeing suffer. :)

      1. Good to know that in America, no matter how many reasons there are for people to hate you, no matter what crimes you have committed, there’s always some clown who will pay you to shoot off your mouth some more.

  2. Or maybe we should try exposing vulnerabilities in ways that AREN’T attention-whoring or explicitly illegal.

    1. It’s not a question of how you do the disclosure, it’s a question of whether the institutions you’re disclosing to are on your side or not.
      Large software companies and government agencies are not on the side of hackers or the general public.  They are not going to use your “responsible disclosure” responsibly.

      They may demand that you “do the right thing” when it comes to helping them secure their broken products, but they’re not going to do the right thing themselves when it comes to protecting the rights and interests of the public.  Why play their game?  Why pretend that we’re all on the same team here, when they’re clearly not?

      Hackers should use their knowledge directly, as a weapon to give power to the powerless.  As long as industry and government sees hackers as a force that they can buy, or negotiate with, or browbeat into behaving, no real change will come.

      1.  Seems like the best thing to do if you’re a hacker who does want to highlight the crappy negligence of large companies with people’s personal data, is to get in touch with a journalist who can get a scoop out of it.

        You’ll get the protection of law for journalists and their sources and stop the abuse of data through poor security.

  3. And they’re supposed to sit on these security flaws so that they can be exploited on a greater scale and hurt more people?  

    I’m seeing where the idea comes from, I’m just not convinced it’s terribly well thought out.

  4. I’d like to nominate this for Understatement of the Year:

    “It’s not unheard of for governments, including that of the U.S., to use exploits to gather both foreign and domestic intelligence.”

    Could this have anything to do with why NSA had a recruitment booth at Def Con this year?

  5. The problem with reporting back to the vendor is that it can be viewed as exploitation. I disagree with weev but I do believe full disclosure is the only ethical and safe way to protect the bug-finder from claims of extortion and to protect the bug-finder from harassment.  Vendors should monitor avenues of full disclosure to ensure they address the problems found.

    The current scenario is worse, either vendors do nothing and sit on serious bugs or some jerk bug finder sells the exploit to unscrupulous people. Both scenarios are terrible. Full disclosure cuts the line between vendor and bug finder, protects the bug finder and calls on vendors to be responsible.

    weev’s problem was that he associated his ego with the problem and wasn’t willing to forgo the fame.

  6. “sees his conviction as an unjust way to AT&T punish the messenger, ”

    Uh, ” sees his conviction as an unjust way for AT&T to punish the messenger,”


    Unless “AT&T” is now a verb?

Comments are closed.