You couldn’t help but read Andrew Auernheimer’s Statement Of Responsibility for his crime of breaking into unsecured API’s on the AT&T website – the iPad Hack – and wonder in what world do we think it is okay for someone to go to jail for potentially many years because they exposed such shoddy security on a Public Internet Site?
Because the article indicates he instead contacted a news publisher, I wondered why Auernheimer didn’t contact AT&T first to show them the flaw but until he responds, can only assume he was simply concerned the security team there would threaten exactly what has since happened to him. Something seen recently in Australia to security researcher Patrick Webster for example.
It’s possible the CFAA law which was used both against Auernheimer and Aaron Swartz formed part of his consideration. For those unfamiliar with what appears to be nothing more than hastily strung barbed wire around badly dug moats, here’s a couple of articles describing what it tries to cover and what it doesn’t.
It seems to me that what we have here is a law which is being used like a shark net on a beach. Fostering a false sense of security and allowing businesses to avoid taking responsibility for their own failures when it becomes clear they have failed to invest adequately in securing critical and personal data.
Just as the shark net does, instead of simply preventing the threat from breaking through it catches everything which falls into it, threat or not. But unlike the shark net, sometimes the collateral damage from someone else to blame when the shortcomings are found out aren’t acceptable to the public.