In a New Jersey courtroom last month, federal prosecutors described Andrew Auernheimer as a publicity-hungry hacker who violated the privacy of thousands of iPad owners by disclosing their email addresses to a reporter.
A jury agreed, finding him guilty of identity theft and conspiracy to gain unauthorized access to computers. He faces up to 10 years in prison.
But security researchers worry that Auernheimer's conviction could jeopardize Internet security by creating a chilling effect on their work. These researchers, known as "white hat" hackers, find security flaws and report them to companies that are supposed to fix them before "black hat" hackers exploit them to harm consumers. Some say Auernheimer's conviction may make these good hackers more reluctant to disclose their findings, leaving consumers less safe online.
"If other researchers find flaws but are scared about disclosing them, that's going to give them pause," Jeremiah Grossman, founder of the security firm White Hat Security, said in an interview. "And that makes it easier for the bad guys to put people at risk."
Dave Aitel, founder of the security firm Immunity, said Auernheimer's conviction may have widespread implications for his industry.
"It's obvious to anyone with a technical background that the case the FBI brought against him is a travesty, and the fact that they won is even more insane," Aitel wrote. "If they manage to make it stick, the collateral damage is all of us."
Two years ago, Auernheimer, 27, known online by the nickname "Weev," found a security loophole in an AT&T server that allowed his self-described security group, Goatse Security, to collect 114,000 email addresses belonging to iPad 3G users. He turned over that information to a reporter at Gawker, which posted some partially redacted addresses, prompting an FBI investigation.
Security researchers typically turn over security flaws they discover to manufacturers and give them time to patch them before going public with their findings. But some believe that going public is the only way to force a company to improve their security.
Prosecutors said Auernheimer should have disclosed the flaw to AT&T, or to federal authorities.
"If he thought there was a real security vulnerability he could have done something else. He could have contacted the FBI," Zach Intrater, an assistant U.S. attorney for the District of New Jersey, said in court last month. "But he didn't do that either. He only contacted reporters and you know why? Because his real motive was to publicize Goatse Security so he could market himself for financial gain."
Auernheimer said AT&T knew about the loophole and both the company and the FBI would have ignored him if he brought it to their attention. He said consumers should be informed when a company puts their security at risk.
He also said he does not adhere to the same code of ethics as "white hat" hackers. Last week, he wrote an op-ed in Wired arguing that researchers should disclose security weaknesses to someone "who will use it in the interests of social justice" and "facilitate the public shaming of a web application operator" -- and not directly to companies.
"My moral obligation is not to help AT&T, it's to criticize them," Auernheimer said in an interview with The Huffington Post.
AT&T declined to comment.
As he awaits his sentencing, scheduled for February, Auernheimer said he spends his days working and his nights partying. On a recent morning, he sat on a white leather couch in an apartment in lower Manhattan. Cigarette butts sat in an ashtray on a coffee table. Bottles of liquor lined one of the walls next a flat-screen TV. Auernheimer said it was an office for a company that he works for, but refused to disclose its name.
He wore a black hoodie, black combat boots, thick-framed glasses, cuffed jeans, and a thin red beard. He spoke with a deep gravelly voice and a slight Southern drawl, peppering his sentences with expletives and laughter.
He said he works in "material sciences" "disaster response" and "aluminum welding." He insisted he doesn't need the money because a community of hackers pays his rent, food and transit. He spends his free time reading Greek classics ("I'm a big fan of the pre-Socratics, personally.") and attending parties until 6 a.m.
He described himself as a philosopher, a prophet, and "a fed-up guy from Arkansas." A website created to raise money for his legal defense describes him as "the world's most notorious Internet troll" who "never takes anything seriously and generally treats life as a piece of performance art." As a troll, he frequently says things just to evoke an emotional response from people. He told The Huffington Post his last wish before going to prison was to play a game of paintball on jet skis.
His bail conditions preclude him from using a computer, but he still uses a smartphone and broadcasts his thoughts on a variety of topics, including cybersecurity, on Twitter, where he has nearly 3,000 followers.
He said he was not surprised that he was found guilty and expects to win his case on appeal. He also said he isn't afraid of prison, and plans to keep a blog during his incarceration.
He said his conviction has brought more attention to his message -- that corporations are evil and deserve criticism -- than any prank he could have pulled online.
"They’ve done my message a huge favor," he said. "What I'm trying to say has been greatly been helped by the fact that the federal government is shoving me in a prison cell."