The recent conviction of Andrew “Weev” Auernheimer for identity theft and conspiracy has renewed interest in the question of what researchers should do when they find security vulnerabilities in popular products. See, for example, Matt Blaze’s op-ed on how the research community views these matters, and Weev’s own response.
Weev and associates discovered a flaw in AT&T’s handling of consumer information, which allowed anyone to download personal information about users of AT&T’s iPad wireless data service. Weev wrote code that systematically downloaded information on more than 100,000 of those users. Was that enough to get him convicted? Reading between the lines in press accounts, it’s clear that that behavior, plus Weev’s long history of unsavory (though lawful) online speech and his personal eccentricities, were enough to get him convicted.
This will only make researchers more cautious about public discussion of vulnerabilities–which is a shame, because the research community is one of the main sources of public pressure on companies to follow better security practices. Though some companies seem to ignore or downplay security problems in their products–see Jeremy’s recent post for one example–the flow of information about the presence of vulnerabilities plays an important role in helping the market reward good security and punish laxity.