Hacker News new | ask | show | jobs
by phnofive 1631 days ago
Did Sega agree to this public disclosure?

Referring to the HackerOne standards, it appears your team violated a couple:

> Respect privacy. Make a good faith effort not to access or destroy another user's data.

> Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities. Never willfully exploit others without their permission.
1 comments
wwtrv 1631 days ago
Public disclosing it seems to clearly fall under the ‘ Act for the common good through the prompt’ since SEGA’s user are the real victims in this situation and have the right to known that SEGA us incapable of keeping their data safe.
link
batch12 1630 days ago
This sounds similar to justification used by ransomware groups.
link
rectang 1630 days ago
Only under the most carelessly superficial analysis.

Is there any limit to the vast, systemic negligence and enabled criminality which can be excused away into nothingness because the circumstances under which they were made public were problematic?

This isn't a criminal prosecution of the company who was irresponsible with user data. If the people who exposed the negligence screwed up, that doesn't mean we have to act as though that the negligence ever happened.

Demonizing the messenger while remaining silent about the message is a choice.

link
batch12 1630 days ago
Mostly agree. It is unfortunate that the methods used by the messenger add distractions to the situation.

The point I am trying to make is the ends don't absolve the hacker from consequences. Ransomware operators often blame their victims for poor security and frame their actions as security-as-a-service.

link
rectang 1630 days ago
> The point I am trying to make is the ends don't absolve the hacker from consequences.

I agree on this point. I see it as analogous to holding your allies to a standard that your adversaries are unwilling to uphold.

In this case I categorize both black hats and toxic data hoarding companies (including their techie apologist employees) as "adversaries" (though I don't assert you agree with my assessment).

> Ransomware operators often blame their victims for poor security and frame their actions as security-as-a-service.

Despicable victim blaming by the very party doing the victimizing.

I understand why advertising a VPN service can be seen as analogous, even if the scale of profiteering is not comparable.

The argument against toxic data hoarding is easier to make when untainted by exploitative profit motive.

link