[loup-vaillant]

Maybe they could use some threatening instead of a proper report. Go to a public spot, open up a Tor browser, then report the vulnerability. Something like this:

"I have hacked your system, accessed <this information> and modified <that bit of data>, using <this procedure>. You have <this time> to send <this much> Bitcoins to <this wallet>, or I <copy or trash> your database. Thank you for your attention."

Maybe they will panic strongly enough to actually do something about the issue.

[PeterisP]

That is quite straightforward and makes it clear from all perspectives.

From the hacker "hat classification" perspective, that's obviously black hat, nothing gray about it.

From the legal perspective it's not a debate anymore (like in the original article) if you do this, it's clearly a crime, if you get caught in whatever way (e.g. by bragging about it someplace later that leads to your person, or by testing a "discounted" pass in some place that has cameras), it's a straightforward conviction for extortion.

From the ethical perspective, that is an unethical action, doing that shows that the person is immoral.

But you are right, yes, it can be quite effective, and definitely makes it more likely that they will panic strongly enough to actually do something about the issue. It's just that if this happens, then it's not sufficient to just fix the hole, identifying and catching the perpetrator becomes a big part of what they should be doing.

[OscarCunningham]

My understand was that you just threaten to do those things but don't actually follow through on those threats. Then it's grey hat and ethical but still not legal. If they actually pay the bitcoins and don't fix the issue then you despair and go on with your life. It's hard to spend the bitcoins without deanonymising yourself, but you can try to give them to charity or something.

[PeterisP]

No, simply making that threat ("send <this much> Bitcoins to <this wallet>, or I <copy or trash> your database") is very definitely a crime (and black hat, and unethical) even without any followup.

That's as classic as it can be, there's nothing new or technology related about this - for example, sending an anonymous message "Send cash or I'll burn your house" is a crime (and unethical) even if you don't burn anything. It is a crime (and unethical) even if you're just making an empty threat and never intend to burn anything, it still is extortion.

Arson is one crime, and extortion is a separate crime punishable by itself. If you don't attempt to delete their data then you (obviously) don't get charged with deleting their data, but making threats like that is not acceptable in any way (legal or ethical) whatsoever. Once you press "send" on a message like that, you've crossed a very serious line.

[OscarCunningham]

Like I said above, it is a crime. But it's ethical because it's intended to force them to fix their system before someone does something much worse.

[PeterisP]

Do you believe that you have a moral right to force them to do anything?

Is there a moral imperative that they are morally required to secure their systems and that others should/could demand that they must do so? It definitely could be in certain cases (for example, a hospital storing confidential data of their customers), but in the usual situation where it's just their data and their money, isn't that their moral right to decide how high a fence (if any!) they want to build around their property?

Telling someone "hey, you forgot to lock your door" is a good thing, but ultimately IMHO it's their decision if they want to lock the door or accept those risks.

[OscarCunningham]

Yeah, I agree 100%. But in a lot of the cases mentioned in this thread the private data of the company's customers was at risk. For example system in the original article allowed you to access other people's name, address and national ID number. I was thinking only of situations like these, there's no reason to threaten a company if they're the only ones at risk.

[snakeanus]

I really can't see how this is unethical or immoral in any way.

[lightbyte]

You don't see anything unethical or immoral about telling a company "I hacked your systems, send me money or I'll delete all your data"? It's obviously a crime.

[snakeanus]

> You don't see anything unethical or immoral about telling a company "I hacked your systems, send me money or I'll delete all your data"?

I do, however loup-vaillant's post also contained the following, which makes it not immoral nor unethical:

> accessed <this information> and modified <that bit of data>, using <this procedure>. You have <this time>

Also, you need to panic them, you do not necessarily need to delete or copy their data (but even if you did, I see nothing evil in it. They are the ones that refused to fix it within the time given after all).

> It's obviously a crime.

Doesn't mean that it's immoral or unethical.

[PeterisP]

If you point out that my front door is unlocked, and I decide to keep it unlocked forever (i.e. refuse to fix it), then it doesn't mean that it somehow becomes ethical to enter my house and take my stuff. It might be stupid on my part to keep it unlocked, but a thief is still ethically a thief even if I carelessly kept it unlocked forever. My "door" might as well be a line in sand or a sign "don't enter" on a pathway - not a security measure at all, just an indication where the boundary is, but still unethical to cross it. Much more so would be sending a note "lock your door, send me money or I'll take or damage your stuff", as in the original example.

Threatening to harm someone unless they do what you say is immoral even if you don't harm them; it's not ethically acceptable to threaten others.

[loup-vaillant]

If you had classified information behind your open door, you could be sued if anyone stole it (or worse, depending on the level of classification). Sometimes, one is legally required to take appropriate steps not to unwillingly disclose information. I believe users' personal information should fall under this category. (I believe it does in some cases.)

If your leaving the door open leaves not only you, but others, vulnerable, the discoverer of the broken lock may very well have a moral obligation to protect those innocent people, by whatever means appropriate.

What is appropriate depends on the situation. I expect in most cases, just telling you the door is open may be enough. But if you are being particularly obnoxious, threats may be the only way. In some extreme cases, burning the house down to avoid the disclosure of the sensitive information that would harm countless innocents may be the best course of action.

The legal system even have analogous situations, where a judge can order the orderly destruction of some unsafe building. The only (yet crucial) difference is, judges aren't vigilantes. But this is fixable: one could have the law allow the vigilante to send a cease & desist letter saying "fix your door or I'll have a judge burn your house down".

[mindcrime]

It's obviously a crime.

Perhaps. But being a crime does not automatically mean something is immoral or unethical.

[pfisch]

So you should just become a malicious actor and actually break the law? Good plan.

[loup-vaillant]

Becoming a malicious actor, no. Looking like one, definitely. Break the law, most probably. Also, I would rather threaten to publish if I did this for real.

It's risky and scary, but also the right thing to do in some cases.

You could also fail to report at all, and let their ship sink. Maybe they deserved it.

[Duplicated]

What difference does it make if the outcome is the same?

[imhoguy]

Not the outcome for the informer in case one gets caught and accused of threatening for ransom.

[wlll]

Better hope you've not left any evidence on their systems then, you know, like a discounted transport pass.

[etatoby]

Wrong. The latter half should read:

You have <this time> to fix the issue, or I <copy or trash> your database.

Asking for extortion does not push them to fix their systems, only to pay you and/or find you.