Andrew Auernheimer (weev) and AT&T

Dave!

Hey gang,

Thought for a bit of variety I'd post a thread that isn't asking for help with some code, etc.!

I was just reading this interesting article on TechCrunch written by Andrew Auernheimer, about how he is being prosecuted (and from his perspective, persecuted!) for exploiting a gaping security hole in AT&T's IT infrastructure; he retrieved a list of email addresses from their publicly accessible API, which didn't require any security credentials to get at - just the know how. He subsequently gave an excerpt of the list to a journalist at Gawker, who wrote about the security lapse.

Anywho, there's a bit of a debate going on in the comments section on TechCrunch about whether he was at fault for doing what he did, or if he was right to expose the egregious security lapse. Should he have given the information to the company privately, should he have just retrieved a small number of email addresses to prove that he could (rather than the full list), is this more comparable to picking a lock or to walking through an unlocked door (they're coming up with all sorts of analogies on TC), etc.?

I seem to recall taking a "Computer Ethics" (or something) class in college, and I'm sure if that class hasn't been discontinued that there is robust debate going on about this kind of thing!

Do ye have any thoughts on it?

28064212

Relevant. Student expelled after accessing college computer databases. The student involved accessed it once, and alerted the college to the problem. One month later, after not hearing anything, he tried the same exploit. Still not fixed. But they had monitoring software, so expelled him for hacking.

It's complex, and I'm not sure analogies are particularly useful. Online is not the same as offline. At the very least, the organisations involved are negligent with their customer's data