Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- We, the undersigned, are computer security researchers and professionals.
- In our day-to-day work, we protect American citizens and businesses from
- criminals who seek to profit by illegally accessing private computers
- and private data. From time to time, we also encounter mistakes in
- programs or websites we use which could lead to the inappropriate
- disclosure of private business or consumer information. When this
- happens, professional ethics dictate that we assist the innocent
- victims of such security errors.
- Andrew Auernheimer is a security researcher and a respected member of
- our community because of the core principles he stands upon.
- When Mr. Auernheimer discovered a URL on an AT&T website that disclosed
- the private email addresses of over 114,000 AT&T customers, he brought this matter to
- the attention of the victims of AT&T's poor security practices -- its
- customers -- via the media. The URL was publicly accessible and required no "hacking"
- of any sort; it had been published, by AT&T, on the open Internet,
- where anyone could use it. Indeed, we will likely never know who else
- had already accessed the information, prior to Mr. Auernheimer.
- Mr Aurenheimer's actions are that of a conscientious whistle blower and
- not that of a criminal.
- The fact that AT&T had such a lapse in protecting the privacy of their customers
- that it has forced them to attempt to shift focus away from themselves, and some how
- they have made the prosecution an unwitting partner. It is easy to deduce why AT&T would
- want this: Namely, if AT&T does not find a scape-goat to blame it would be
- they who could and would be severely punished for negligence, not only in
- criminal court but potentially in class-action type civil litigation because of
- the high number of victims.
- Mr. Auernheimer has a long history of sending messages that their
- recipients do not like, typically due to the form they take. We
- respectfully submit that this is a red herring. Whether Mr.
- Auernheimer's style is distasteful or not has no bearing on the
- magnitude of the privacy breach he discovered, nor on the moral correctness of
- his actions.
- We steadfastly believe that the charges against Mr. Auernheimer are
- not only unwarranted, but serve to chill the entire field of research
- into security vulnerabilities. The simple act of incrementally
- traversing open directories not only does not constitute
- "hacking", it is a commonly used method to determine the scope of public
- accessibility to information that should be properly secured.
- If we are legally barred from using non-destructive, non-invasive
- techniques to triage vulnerabilities, it will hamstring the security community's
- efforts to keep the Internet safe for the public.
- We urgently request that these charges against Mr. Auernheimer be
- dropped in the interest of national security. A conviction in his
- case will not only have a chilling effect on researchers like us who work
- to secure critical infrastructure, it will inevitably lead to other
- systems being compromised due to the inability of security
- professionals, like ourselves, to even identify such vulnerabilities
- without running afoul of the law. Criminals operate in secret -- they
- don't hand their findings over to the press. Mr. Auernheimer has
- acted in the interest of the public, not as a criminal.
- Respectfully yours,
- <signatures>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement