[ff7c11]

By temporarily defacing the Sega website and modifying files I think they have crossed the line. Enumerating what access they have, rooting through S3 and reporting it is OK, but by messing around like script kiddies they can no longer claim good faith. Publicising that you've illegally defaced the website is a little silly. Of course, Sega should not have got themselves so completely owned. Sega deserved to be punished, but these VPN twits have clearly committed a crime and Sega should maybe sue their company.

[dragontamer]

> Sega deserved to be punished

The store owner was gone on vacation, and thus the side of his store was riddled with graffiti. He deserved to get graffiti because he didn't take basic security precautions.

[Fnoord]

You don't need to break security to spray the side of a store. You do need to break security to deface a website.

Analogies are analogies, they're unnecessary in this case (nowadays). Because we got law to punish people who deface a website, and the law stands on its own.

Its akin to people who call 'copyright infringement' 'theft'. Its not the same, its a different mechanic, damages are different, and... different laws apply. That doesn't mean one's right or wrong or anything like it; like I said: the laws stand on their own, respectively.

[bane]

The store owner should have hired security staff to prevent their store from getting graffitied.

I can construct any sort of scenario such that victim blaming is always possible, when the reality is they shouldn't have to worry about their property being messed with.

[wwtrv]

To me this situation seems more like a store owner forgetting to lock the door the somebody noticed, came inside put up a sign on the front window saying that the store owner is too stupid to lock his own door and then calling the owner to tell him about this.

[throwawaygh]

I think "deserves" is a better word than "deserved".

The punishment for grossly negligent handling of PII should not be a childish website defacement, and should not be from enforced by vigilantes. Obviously.

The punishment for mishandling PII like this should be a painful fine, a rigorous externally imposed technical audit, and possibly civil/criminal implications for senior leadership.

(If the last one sounds unreasonable, consider Equifax. Many executives in charge of security orgs do not have technical degrees and, more importantly, have not booked any time in the trenches. Being self-taught and having non-engineering degrees can be okay, but combining that with no in-the-trenches experience is inexcusable. Assignment security to corporate politicians who don't understand the work that they are managing should be criminally negligent.)

[matheusmoreira]

It's more like a store owner who left all his customer's names, addresses, credit cards, purchasing history and everything else just lying out there in the open. Public embarrassment is too light a punishment for the inevitable day when someone else comes and takes it. The real victims are all the people harmed by their negligence.

[123pie123]

they don't deserve to get graffiti, but it is expected

they should be punished by legal means (legal proceedings or lawsuits) and by reputational damage

[EGreg]

So the store owner can just leave all his customers’ credit card information lying around and ignore PCI compliance etc. because anyone who would possibly use it for nefarious purposes is a criminal?

How would you prevent such negligence

[dragontamer]

> How would you prevent such negligence

The ones who are damaged by the negligence sues for negligence.

Similarly: those people who act recklessly can get sued for more, or even criminally prosecuted. Finally, someone who acts out with malicious intent can be sued / criminally charged with the highest crimes.

-----------

So in this "Sega" case: Sega can sue their security for the negligence.

Then, the hackers can be sued for something between recklessness and malicious intent.

Yeah, the law is flexible. "Justice" as a concept in the Western world revolves around both actions + intent. (With intent / state of mind in roughly 3 states: negligence, recklessness, and malice in that order).

Its a flexible system, albeit sometimes imperfect... but just applying it in a textbook manner to this case results in acceptable results IMO.

[charlesju]

Two wrongs don't make a right

[burnished]

Strong disagree (not about the law claims, I'll leave that to the law-knowers), but the moral implications of 'crossing a line'. It reads like they revealed security vulnerabilities that had the possibility to harm others. I think they can be allowed some leeway in their methods.

[throwoutway]

Nope. That can come after responsible disclosure. Did they try the responsible path first? Looks like they notified and then kept going for another 10 days

[batch12]

> kept going for another 10 days

This is the problem I have. They kept going without permission. Leaving your key in the door doesn't give someone the moral authority to go through your house and look for other issues.

[burnished]

What if there were signs of a current and urgent matter?

This seems like the wrong time to bring in analogies, given that we all understand whats being done well enough to talk about it directly. Given that there were obvious problems that implied a clear and present danger to people it seems reasonable to take more immediate, more effective measures.

[burnished]

My understanding is that the 'responsible' path can have groups pursue you while they try to cover up and deflect blame, instead of fixing the problem. Going down that path does not sound very responsible to me.

[walrus01]

it seems like there's a couple of hundred consumer-facing VPN service providers, all with slick looking marketing websites to sell you a $5/mo service.

lots of them are nothing more than 1 or 2 people and some rented 1U servers or dedicated servers somewhere on whatever ISP that can find with cheap IP transit / DIA rates. maybe a part time website design/graphic arts person they found via fiverr to make things look cool.

from the perspective of a colocation-specialist ISP or medium sized generalist ISP that offers colo, they get lots of weird requests for colo and dedicated server services from VPN companies they've never heard of before. often with something like a corporate entity that exists in cyprus, panama or even weirder places.

looking at this in terms of the risk that a VPN provider presents to an ISP's reputation, IP space, attracting unusual volumes and numbers of DDoS, etc... there is a certain amount of "KYC" (exact same idea as finance industry KYC) that needs to go into a potential vpn service provider as a colocation client before quoting them a price or accepting them as a customer. fail to do that at your own risk.

it's very much in the weird/shady/grey market end of the ISP market.

the level of technical acumen and professionalism varies greatly between VPN providers.

[rosndo]

> often with something like a corporate entity that exists in cyprus, panama or even weirder places.

Wait? How is Cyprus supposed to be a weird place to incorporate?

I suppose Delaware is weird too? It’s not like anyone is actually based there.

>looking at this in terms of the risk that a VPN provider presents to an ISP's reputation, IP space

None, because you obviously make the VPN provider bring their own IPs. And even if you don’t? Just block email and the IP reputation issue is solved.

>attracting unusual volumes and numbers of DDoS, etc..

This has calmed down so so much over the past years.

> fail to do that at your own risk.

Not much risk at all as long as you make them prepay their bills. Nobody is getting depeered because they offered colo to a sketchy VPN provider.

Literally nothing can happen, the big ISPs do not give a single fuck about this.

(I don’t have any involvement with VPN nonsense, but do have extensive experience with “bulletproof” hosting)

[tomrod]

Who are reputable in the space?

[walrus01]

mullvad, the company mozilla recently partnered with.

not much else...

I am biased because I do my own VPN so all of them seem shady to me.

[Enginerrrd]

Tangential to the thread, but I've never understood what people mean when they say this.

Do you run all your personal traffic through a VPS or something? That's not really offering the same thing as most VPN's. It hides your traffic from your ISP so they can't sell your data and snoop on you, but doesn't accomplish some of the anonymizing that an actual multi-user VPN can provide by adding additional traffic under the same IP.

So, what do YOU mean when you say you "do your own VPN"?

[walrus01]

One of the VMs that I have on a system in colocation is my own customized OpenVPN setup, where I also run the openssl CA for it. My phone, laptop, etc all have their own keys.

It's set up for my own needs when I want to use a VPN from a weird place. Or simply to bypass artificial restrictions on traffic if I'm on amenity wifi in somebody's office, airport, hotel, etc. Since I can arbitrarily reconfigure it at will, and run multiple openvpn daemons from differnt .conf files listening on different ports with unique configurations (all relying on the same CA), I can do things like have one VPN that pushes a default route for my spouse's need to do internet things on restricted amenity wifi.

Another part of it pushes only routes to a few /24 that are my personal project servers, and the routing table on vpn clients remains otherwise unmodified. Sometimes known as a split horizon VPN.

>95% of the time I am not using it to run all my traffic through there.

It's also the gateway and pushes routing table entries to things that exist for my personal test/project/development VMs that are in private IP space, so I need to be connected to the VPN in order to talk to those.

[Enginerrrd]

Thanks for responding, that sounds cool! I have contemplated a similar setup myself.

[tata71]

> thread about sec

> OpenVPN

[__turbobrew__]

Seconded mullvad. The only vpn provider which accepts cash by mail as a payment method.

No email needed for sign up either.

[ricardobayes]

protonmail

[kiklion]

> By temporarily defacing the Sega website

I may have missed it but what did they deface?

I see a proof of script execution in what appears to be an uploaded file of a random string of letters and numbers .htm address.

So if don’t correctly there is a near zero chance of any public user stumbling into the site.

[whoknew1122]

They clearly said they modified careers.sega.co.uk and posted a screenshot of the careers site displaying vpnoverview's logo (https://vpnoverview.com/wp-content/uploads/screenshot-about-...)

[christophetd]

It's been taken down, but still available through https://web.archive.org/web/20211230160444/https://vpnovervi...

[vlunkr]

They say it "briefly" showed that logo. Who knows how long that is.

[whoknew1122]

The question was whether a site was defaced, not how long it was defaced for.

[foldr]

>Sega deserved to be punished

I don't understand this way of thinking. They made a serious security oversight, but that doesn't mean that they deserve to have their website defaced.

[nulbyte]

> Sega deserved to be punished, but these VPN twits have clearly committed a crime

I think the rest of the sentence makes it clear the author didn't intend to support defacement as punishment.

[foldr]

Sure, but I'm saying that they don't deserve to be punished at all.

[totalZero]

Nah man, don't blame the victim. If I don't lock my door it doesn't mean that I have invited burglars into my home.