Austin Hackers Group Gets Recognition From Global Body
The room where it hackens
By Dex Wesley Parra, Fri., March 10, 2023
On the last Thursday of every month, in the walled-off back room of an unassuming North Austin sports bar right off I-35, a variety pack of 40-some-odd information sector types – computer programmers, web developers, and the like – convene for a couple of evening hours to present the latest coding bugs they've uncovered. They call themselves Austin Hackers Anonymous, abbreviated as AHA! like the Eighties pop act (leave it to hackers to claim the URL takeonme.org). Recording and filming aren't allowed, everyone must contribute, and if someone wants to pitch a product or company, well, they must buy booze, per the bylaws. Needless to say, the crowd is a rowdy bunch of nerds.
"At its heart, it's a hacker meetup for InfoSec professionals," said AHA! founder Tod Beardsley. The collective started up more than a dozen years ago, but in early February, they officially joined the Common Vulnerabilities and Exposures system. Think of CVE as a global dictionary for flaws in computer programs and software. As a CVE Numbering Authority (CNA) vendor, AHA! members can report vulnerabilities for both assets they control (including their website and communication channels) and assets owned or operated by other organizations. So, in their free time, these hackers are inspecting code, finding errors that can lead to serious security risks, and reporting them to an international authority. "A safer and more secure internet is critical for culture and society," Beardsley said.
Cybersecurity companies and researchers comprise the bulk of CNA vendors. After all, many in the field are penetration testers who, in Beardsley's words, "get paid to show up, break into someone's network, and tell them how they got in." He said CVE recognizing AHA! as a numbering authority is "bizarre, because as far as I know, we're the only unorganized hacker collective that is also a CNA." (A scan of the 274 CVE partners confirms this.)
While the CNA designation comes as a surprise, this isn't AHA!'s first time being ahead of the curve. Since their initial gathering over a decade ago, hackers in several cities across the country have emulated AHA!'s meeting format, including Houston Area Hackers Anonymous (HAHA), Bay Area Hackers Association (BAHA), and the Phoenix Secret Society of Hackers (PSSH). Austin's club has no direct affiliation with the others, though certainly enough influence to call them "our spawn" on their website.
And although a certain journalist couldn't sneak into the hush-hush meeting room, Beardsley filled me in on the general rundown. "We are very elitist and gatekeepy," he admitted, "[but] we're all in the same industry. We're not colluding or anything, just swapping tips and tricks." What happens behind the gated area of Mister Tramps Sports Pub stays there – leaks lead to lifetime bans. He said the privacy policy encourages hackers to share their findings in a safe environment. To avoid getting booted from AHA!, everyone in attendance must present to the assembly a five-minute talk. Lectures lasting much longer will be met with severe heckling. The fine print reads, "If you must exceed 10 minutes, it better be damn worth it."
Many of the vulnerabilities AHA! identifies and reports are exploitable, like tricking less tech-savvy users into clicking on dangerous links in emails, a practice called phishing. When hackers find these bugs, Beardsley said, he urges them to report them to the vendors, which can be a tricky process as many companies are litigious to a fault. The way he sees it, "if you don't fix it, bad things will happen to you because while I may be very, very smart, I'm probably not the last person to see this, and I'm probably only the most recent person to notice this."
Got something to say on the subject? Send a letter to the editor.