I get the sentiment and it’s a wise warning that at some point most people in grey hat spaces end up adhering to, but “do exactly as you’re allowed to do by large corporations” isn’t exactly a hacker ethos.
I don’t think that argument really works in situations like this because hacking Burger King requires a pretty high level of intent + ability and isn’t something that just naturally happens. Like you have to sit down and say “Today I want to try to hack Burger King” and then spend several hours doing just that.
To me it seems like quite a stretch for “don’t hack me” to get framed as “Burger King is leveraging their corporate power to tell me what to do against my will”.
And to be clear I actually do think that it would be better for Burger King to invite and reward responsible disclosure, in the same way that you’d want your bank to have a hotline for people to report problems like doors that won’t lock. But if the bank didn’t have that hotline it wouldn’t excuse breaking in.
This is a red herring. They're obviously being silenced because they just obtained evidence that Burger King is recording and algorithmically analyzing every customer interaction to ensure that their wage-slave employees say "You rule!" the correct number of times per order. This is horrifying and dystopic, and it's certainly the bigger story here.
Those people don't announce what they did traceably to their real name and address, because they know if they do, they'll go to jail.
The police and the judge and the jury don't care what colour fabric you put on your head this morning. They (in theory) care if you committed a crime and they can prove it. Which you did and they can, since you confessed. So you go to jail for a long time.
But why? Is it because we don’t have consent from companies to try /check whether they are secure? If so who protects customers from weak doors? or shareholders?
Weak doors is fun comparison. Imagine if someone regular found homes locked by Masterlock locks. And then riffled through everything just to see if they are sufficiently secured. Then reported to owners asking for security bounty...
I doubt that would go down very well, neither would it if you did that with businesses instead private home.
CEO was once annoyed with me while I worked IT (we handled facilities/security, too; was <100 employees) for testing how the camera worked for detecting human presence inside dev & design's room to unlock the double glass doors (for fire safety reasons, you must allow unrestricted exit). It acted like it was based on size of object in motion; if so many pixels were in motion from last frame, it triggers unlock without any other testing on if that object is a human.
It wasn't enough to just shove a folder through the gap of the doors; you had to ensure the folder opened up as it was falling, changing more of the pixels to get to the trigger threshold. It took me around 5 minutes to get it to consistently trigger. CEO was displeased dev & design team now knew how to bypass the door lock from the outside; he wasn't going to pay to fix it.
Maybe best to internalize Have It Your Way like BK's teams did.
Oh, this is a rabbit hole. As far as I can tell the pentesters' suit against the sheriff is still ongoing, but back in Iowa courts. The federal court's ruling is ... not good [1]:
1) The court found that the county sheriff had the pentesters arrested and encouraged their prosecution _not_ because he believed there was any crime, but instead that was angry at some state official. (Which, y'know, sounds like a pretty serious civil rights violation.)
2) However, the civil rights / 4th amendment claims were dismissed by the federal court due to "qualified immunity", the doctrine where, in any sufficiently "unique" or "specific" situation, the police have no liability whatsoever for their actions [2].
Stop targeting anything and just use anything as is! Especially, don't you even dare hit "view source" on a website. Believe it or not, straight to jail. /s
Why and what gives you the right to tell them off?
Hacking is hacking. If they wish to risk it, what's your problem?
They know the risks. Everyone knows hacking is illegal. Same with selling drugs; illegal yet folk do. Same premise.
Get caught; no sympathy given.
"People may get hurt"? $country throw folk in to war; it's a harsh world we live in.
Bug bounty's are only the new norm because the younger audience want validation and compensation for their skills or that companies are being cheap to ensure security.
During my era of internet bug bounties were non-existent. You either got hired or you went to jail.
In my case I got fired from a bank accidentally boasting that I could replace printer status messages with "Out of Ink - please insert more blood". Granted I was 17.
Being banned from using any computer at school for discovering a DCOM exploit using Windows 98 Help resulting in being denied from doing my IT GCSE and from two colleges.
Or being doxxed by another hacker group for submitting their botnet to an AntiVirus firm. Good times, a living nightmare for my parents.
It’s a free country, etc. Obviously I have the “right” to comment a warning on the internet.
The point of bug bounties isn’t “validation” (as if old-school hackers didn’t want validation!), it’s that companies with responsible disclosure programs explicitly allow you to pentest them as long as you follow their guidelines. That removes the CFAA indictment risk. The guidelines generally aren’t much stricter than common sense (don’t publish user data, don’t hurt people, give them time to patch before publishing).
Unfortunately, the existence of bug bounties has made some people forget that hacking a company without an agreement in place is still a crime, and publishing evidence of crimes to a wide audience on the internet is a bad idea.
Most of what you’re saying just seems like nostalgia talking. Isn’t it better that hackers today have a way to find real vulnerabilities without going to jail?
But it didn't come across a warning. "You need to stop" is a demand not a warning. And I would like to believe they would know this when post online. if not /shrug.
Maybe they're working on behalf of an organization, a country that doesn't follow CFAA; Russia, China? Maybe they're state sponsored or under protection. They're obviously not stupid if they can infiltrate Fast-Food chains and social engineer others but I've been wrong before.
> is a bad idea
I would be surprised if they didn't. If not, okay well if shit hits the fan; no sympathy for me. Unlucky. They're doing it at their own risk.
> Isn’t it better that hackers today have a way to find real vulnerabilities without going to jail?
A doubled edged sword, I personally wouldn't count them as hackers. They're not hacking, they're penetrating based on T&C of an agreement. Yes, it could be called "ethical hacking" but I still wouldn't call it hacking.
A hacker is one who gains unauthorized access to computer. Hacking isn't such when your granted restricted access on a basis of T&C.
> Isn’t it better that hackers today have a way to find real vulnerabilities without going to jail?
I don't disagree, if that's your skill then go for it. It's the safest route allowing you to harness your skills, and which may provide future prospects. A dispensary selling drugs is better than the dealer on the corner of the street.
"To hack a bank" is different then to "hack a bank based on some agreement". One carries more weight then the other. Your penetrating a bank on an agreement. Your not hacking.
Bug bounty hunters to have faced jail, lawsuits, or threats — even when acting in good faith, it doesn't make you invulnerable.
I admire the persona of who this is, their acts highlights concern to us who use such conveniences. It exposes truth and tackles the issue at hand where others may exploit you because of. It shows negative light to corporations that many folk who daily.
Their title as on their blog "Ethical Hacker" I would say suitable to describe them as that. It's not like they're siphoning money off folk from ransomware.
> Most of what you’re saying just seems like nostalgia talking.
What I was demonstrating as someone who's been in trouble due to misunderstanding computer mishaps as a teen back when, also to establish my point that I know what I am talking about.
Yeah, it turned in to a nostalgia trip. I'd call myself more of a script kiddie and one who I'd see myself as white-hat.
Black-hat can be interesting however my moral compass has caught up with me and that my life has more worth that it would be jeopardous to do such besides I don't have the time and among other things.
The US Constitution? (lot of assumptions of locations here, insert your charter of freedoms/other guarantor of rights here if parent comment OP is not in the US)
