[voakbasda]

Yup, this was totally criminal in most jurisdictions. I don’t care if the person intended to help; this kind of vigilante hacking deserves to land you in prison.

You want a bounty? Talk to me before you break into my systems. Because once you do that without my permission, you have proven yourself completely unworthy of being trusted. Why should I believe that you have not installed a rootkit or other tech that you did not subsequently disclose?

You will need to be treated the same as any other criminal. If my insurance gets involved, that also probably means directly assisting with an attempt at criminal prosecution.

So, yeah, brilliant strategy. /s

[voakbasda]

Not sure why my comment got downvoted, but it very much feels like HN is defending this kind of behavior. This is why we can’t have nice things.

[rectang]

You can't have nice things because you aggressively criminalized the white hats, thus were never warned by them before a black hat took your nice things away.

> Why should I believe that you have not installed a rootkit or other tech that you did not subsequently disclose?

Because doing that and also disclosing your identity would be incredibly stupid?

[ajmurmann]

> You can't have nice things because you aggressively criminalized the white hats

voakbasda even proposed giving a bounty. Is defacing a website and spearfishing the users (as is claimed higher up in the thread) needed for white hats to do their thing? I'm surprised that we aren't all in agreement that this isn't at least grey hat behavior.

[rectang]

It's unclear to me where the line is being drawn and a zero-tolerance policy applied with maximum criminal penalties pursued.

The whole world sucks: the companies who are slovenly with our data, the criminals who exploit that data when it is inevitably leaked, the grey hat hackers who "joyride to prove they found your keys" to use the memorable metaphor from elsethread, the circumstances which make probing for vulnerabilities incredibly risky because one misstep gets you a prison sentence. the resulting feast of vulnerabilities ripe for criminal exploitation....

[voakbasda]

Do you understand that, from the perspective of the person suffering an attack, there is absolutely zero difference between a good guy that breaks in without a contract, permission, or other sort approval and an actual bad guy? The act of committing a crime actively destroys trust.

Come to me with a list of potential vulnerabilities that I can detect and investigate with an open source scanner, and we can talk. Come to me after you've already broken in, and you will never be grated the trust required to work on security systems.

I think this whole scenario effectively is perjury. Once someone has been proven to lie, everything associated with that lie needs to be vetted (or simply thrown out), because you have demonstrated that this person cannot be trusted to tell the truth. Does anyone here think that perjury is moral or ethical? Is the scenario presented here really that different?

[rectang]

The "person suffering the attack" is not the only party who suffers from an attack — the individuals whose information gets leaked also suffer when a company hoards toxic data and it inevitably spills.

From the perspective of those individuals, there is a dramatic difference between black hats who exploit their data and grey hats who humiliate the toxic data hoarders.

[batch12]

>You can't have nice things because you aggressively criminalized the white hats

This isn't how a white hat should behave. At the first issue, they should have stopped, reported, and waited. At the very least, a responsible disclosure, followed by a reasonable time, then maybe public disclosure-- or just move on. Continuing to dig and steal information because someone didn't reply is unacceptable.

[rectang]

I cede the point. It's incredibly frustrating because the harm done is minuscule in comparison to the unsafe business practices exposed. The toxic data hoarder will skate, the messenger will be shot, and the public will continue to be victimized by black hats exploiting toxic data stockpiles.

[tata71]

Honeypots etc make this absolutely true.

[duxup]

How do you know there’s a breach without seeing it?

[whoknew1122]

How would Sega know there are AWS API keys in a public S3 bucket without vpnoverview defacing their careers site? Sega could probably, y'know, look in the S3 bucket at the identified file which contained the keys.

All of the things found could have been investigated by Sega and replicated if vpnoverview just documented how they got access to the info.

You don't have to joyride in a car to show the owner that they dropped their keys.

[craftinator]

> You don't have to joyride in a car to show the owner that they dropped their keys.

This is the most accurate analogy I've seen in months, thank you for sharing it!

[wwtrv]

In this case SEGA, due to their incompetence lost a bunch of car keys owned by other people despite claiming that they’ll keep them safe (and having a legal obligation to do so under GDPR). So I don’t see any problem with publicly exposing them.

[batch12]

A vulnerability or a breach?