Weev: Hackers should keep security holes to themselves

Weev. Photo: Gawker

Andrew Auernheimer, aka “weev,” the hacker found guilty last week of computer intrusion for obtaining the unprotected e-mail addresses of more than 100,000 iPad owners from AT&T’s website and passing them to a journalist, has an opinion piece in Wired News today.

Auenheimer, who founded troll group Gay Nigger Association of American and once said "some big Jews" would love to serve him a summons, sees his conviction as an unjust way to AT&T punish the messenger, rather than owning responsibility for a weak system.

In the Wired op-ed, he argues that hackers should forget about disclosure, and keep what they learn of security holes to themselves.

Boing Boing editor/partner and tech culture journalist Xeni Jardin hosts and produces Boing Boing's in-flight TV channel on Virgin America airlines (#10 on the dial), and writes about living with breast cancer. Diagnosed in 2011. @xeni on Twitter. email: xeni@boingboing.net.

More at Boing Boing

The technology that links taxonomy and Star Trek

Hackers prepare for first "national holiday" in their honor

http://twitter.com/headband__ mark w.

This guy is obnoxious, he entirely reneges on his opinions just because he’s being indicted. If he hadn’t been so eager to use the exploit he uncovered to make him seem like some celebrity hacker extraordinaire he probably wouldn’t have had the hammer come down on him so hard.
- http://twitter.com/MartianEmpress Rezeya Montecore
  
  This guy’s got a long history of being a sociopathic asshat. I remember him from the Encyclopedia Dramatica crowd. I have zero sympathy for him and have no trouble imagining all the ways he probably chose to make a sensitive situation worse.
  
  This all has no impact on whether the charges are just; they just happen to have unjustly affected someone who I don’t mind seeing suffer. :)
  - Professor59
    
    Good to know that in America, no matter how many reasons there are for people to hate you, no matter what crimes you have committed, there’s always some clown who will pay you to shoot off your mouth some more.
corydodt

Or maybe we should try exposing vulnerabilities in ways that AREN’T attention-whoring or explicitly illegal.
- ZikZak
  
  It’s not a question of how you do the disclosure, it’s a question of whether the institutions you’re disclosing to are on your side or not.
  Large software companies and government agencies are not on the side of hackers or the general public. They are not going to use your “responsible disclosure” responsibly.
  
  They may demand that you “do the right thing” when it comes to helping them secure their broken products, but they’re not going to do the right thing themselves when it comes to protecting the rights and interests of the public. Why play their game? Why pretend that we’re all on the same team here, when they’re clearly not?
  
  Hackers should use their knowledge directly, as a weapon to give power to the powerless. As long as industry and government sees hackers as a force that they can buy, or negotiate with, or browbeat into behaving, no real change will come.
  - bluest_one
    
    Seems like the best thing to do if you’re a hacker who does want to highlight the crappy negligence of large companies with people’s personal data, is to get in touch with a journalist who can get a scoop out of it.
    
    You’ll get the protection of law for journalists and their sources and stop the abuse of data through poor security.
hacky

Does the article stop at “domestic intelligence.)”?
s2redux

N.B. If the posted link yields a truncated article, try this other page at Wired, which seems to have the whole thing.
- dragonfrog
  
  Thank you
Will Holz

And they’re supposed to sit on these security flaws so that they can be exploited on a greater scale and hurt more people?

I’m seeing where the idea comes from, I’m just not convinced it’s terribly well thought out.
Gendun

I’d like to nominate this for Understatement of the Year:

“It’s not unheard of for governments, including that of the U.S., to use exploits to gather both foreign and domestic intelligence.”

Could this have anything to do with why NSA had a recruitment booth at Def Con this year?
http://twitter.com/sirkowski Sirkowski

The superficial charm of the sociopath…
http://openid.aliz.es/fulldisclosure fulldisclosure

The problem with reporting back to the vendor is that it can be viewed as exploitation. I disagree with weev but I do believe full disclosure is the only ethical and safe way to protect the bug-finder from claims of extortion and to protect the bug-finder from harassment. Vendors should monitor avenues of full disclosure to ensure they address the problems found.

The current scenario is worse, either vendors do nothing and sit on serious bugs or some jerk bug finder sells the exploit to unscrupulous people. Both scenarios are terrible. Full disclosure cuts the line between vendor and bug finder, protects the bug finder and calls on vendors to be responsible.

weev’s problem was that he associated his ego with the problem and wasn’t willing to forgo the fame.
http://twitter.com/ImmortalYawn ImmortalYawn

Im sure people would care…if this guy wasnt such a complete dick, that is.

“Gay N****r Association of American” will go down AMAZING in prison.
http://twitter.com/amanicdroid Dr. Chronobiologist

The stories and information posted here are artistic works of someone who is chaotic neutral.
Only a fool would take anything posted here as good advice.
benher

Do his racist views completely undermine the value of his opinions on American corporate corruption?
- http://twitter.com/amanicdroid Dr. Chronobiologist
  
  is he a racist or actually a Mormon? trollz be trollz, mayne.
PhasmaFelis

Dear BoingBoing: Please stop feeding the troll. How do you not know this already?
- http://www.jimdraws.com Thorzdad
  
  Yes, but, “Hacker.” Thus, “Hero.” Haven’t you figured that out that bit of BB math?
ocker3

“sees his conviction as an unjust way to AT&T punish the messenger, ”

Uh, ” sees his conviction as an unjust way for AT&T to punish the messenger,”

Yes?

Unless “AT&T” is now a verb?