3 minute read | May.24.2014
Self-proclaimed Internet troll and hacker Andrew “weev” Auernheimer has big plans now that he’s been sprung from prison.
We identified Auernheimer’s imprisonment and appeal as one of the top trade secret stories of 2013: A member of “Goatse Security,” Auernheimer discovered a vulnerability in AT&T’s website associated with 3G service for the iPad in June 2010. He and an associate figured out that if they sent a HTTP request with a valid ICC-ID (data found on an iPad’s sim card), they could retrieve the email address associated with that ID from the AT&T website. Fellow hacker and associate Daniel Spitler wrote a script that “slurped” the email addresses of 114,000 users (the script was called the “iPad 3G Account Slurper”). Weev shopped the addresses and news of the breach to Gawker, which took the bait. The FBI got wind of the exploit, however, and their investigation led to a criminal complaint in 2011 and a 2013 conviction on cybercrime charges that carried a 41-month prison sentence. Nevertheless, Auernheimer claimed to have used only industry-standard practices and that he and his associates “tried to be the good guys.”
Auernheimer is now out of the Allenwood Federal Correctional Complex in White Deer, Penn. Following the Third Circuit’s April 11, 2014 vacation of his conviction on venue grounds and his release from custody, Auernheimer was off and running with a new business. This time, it’s a new hedge fund, TRO LLC (yes, friends, that’s “Troll Company”). In a new twist on “industry research,” Auernheimer recently told The Washington Post that he plans to short the stocks of companies with security vulnerabilities. Auernheimer’s business model will allow investors to benefit from “security researchers” who will identify vulnerabilities; TRO LLC will then bet against these companies in the stock market before publicizing the companies’ problems. The plan is rife with possibilities. (For the record, Auernheimer is clear that he and his associates seek a way to “monetize” their talents “without doing something which is amoral.” They are, after all, not going after mom and pop small companies—“there’s no money in it.”) In the meantime, corporate America would do well to watch their virtual back doors closely—and perhaps to hire their own army of “security researchers.”
Will TRO LLC’s tactics land Auernheimer in yet more hot water? Time will tell. But Auernheimer appears comfortable with any possibility, declaring to the Post that he “will place [his] body on the altar of liberty 10 more times if it will help overturn the CFAA [Computer Fraud and Abuse Act].” And Auernheimer’s going on offense on a second front: he just published his “open letter” to the U.S. government demanding restitution for the acts of a “criminal conspiracy” of “sedition and treason” perpetrated by law enforcement in the course of his criminal investigation and prosecution. The letter then lauds “patriots” like Timothy McVeigh and states that Auernheimer will only accept Bitcoin as restitution (noting that U.S. dollars are unacceptable because they are used by the FBI, DOJ, ATF, and Federal Reserve, and Auernheimer refuses “to assist criminal racketeering enterprises.”) So there’s that.
Back in New Jersey, U.S. Attorney Paul Fishman announced at the N.J. Bar Association’s annual conference that his office may appeal the Third Circuit’s ruling to the Supreme Court. But a funny thing happened over at the courthouse: Fishman’s office already agreed to dismiss the indictment against Auernheimer back in April.
We suspect there is nothing left to appeal here. Hey, Fishman, what have you got up your sleeve over there? TSW is waiting by the phone.