By Matt Blaze
|Courtesy of Ariel Zambelich/Wired|
Disclosing a flaw in a widely used system without making someone at least a little angry requires a delicate touch. But Andrew Auernheimer, a.k.a. “Weev,” a 26-year-old finder of security vulnerabilities, is anything but delicate.
Two years ago, Auernheimer and a friend made a surprising discovery about the way AT&T was protecting its web database of iPad cellular data accounts: That is, AT&T wasn’t protecting it at all. Any customer could access his or her account data by going to an AT&T URL containing their iPad’s unique numerical identifier. No password, cookie, or login procedure was required to bring up a user’s private information. Auernheimer wrote a script to enumerate iPad IDs and promptly collected more than 100,000 e-mail addresses belonging to AT&T iPad users, which he shared with the Gawker news site to expose the AT&T flaw.
Because computer science has yet to discover a systematic way to find and fix all the vulnerabilities in real-world systems before they get deployed, independent security researchers who discover and report weaknesses have become an essential part of the security ecosystem. Continually poking at systems to seek out hidden flaws is the only hope we have of staying ahead of the bad guys, and the software industry has largely come to recognize that the motley assortment of academics, consultants, and hackers who look for security holes are a community to be cultivated and encouraged — even if the proof of vulnerability they bring may sometimes be painful and embarrassing.
But that doesn’t mean the ones who find an exploitable flaw in a fielded system can expect to be greeted as heroes.